Next kernel security release hell

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Next kernel security release hell

Fabio M. Di Nitto-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi guys,
        I have basically completed the packages that will hit warty/hoary/breezy in
- -security.

There are two problems I need help to address:

1) this huge update requires deep testing, because the changes are intrusive and
that means covering all 3 main arches on all 3 releases in as many flavours as
possible. I simply don't have hw available to cover everything here.

2) due to the nature of the changes, there is a kernel ABI bump in all 3
releases. AFAIK we never had this situation before and this drag in the problem
of uploading linux-restricted-modules and linux-meta.
We did never agree (or talk) if the rebuild of the latters should be done via
- -security or -updates.
I personally would like to see them entering the same suite (-security) as the
kernel even if they do not contain security updates themself. Any objection?
Better ideas?

Colin: AFAIR warty did not build udeb from the kernel itself. I assume we will
not need to update d-i, but for a person that has -security in his sources.list
it will make one package unbuildable (the one that was doing deb -> udeb
conversion and i can't remember the name)
How should we address this problem IF we have to address it.

Fabio

- --
I'm going to make him an offer he can't refuse.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQ3x9sFA6oBJjVJ+OAQJ54g/7BvyjUcXzMCQx+d8xlvYu18chK/ufLmZP
+69NvNZzTmxky+zv3Sj3/vh/Zt99AQHWHf+vNyARlezTcIKbML6GNeKMVw88QROD
KzEowTVQAy0A1moWQrlxzFqblkxskbueiRD5Jh8sXs+X8E6Rfa2ELF4c5Ws9/c2l
u7oF+tMXreUCRe9kua/7Ed/SPkAZ8qnQqbyZVo2buKk7lmSa38ZKTmHYM9E3XMSS
cM6LKqOR98/1v69pF9Kx4zljTYkHbjh8LxmHtrML2K+TIXuj45KQ77kaocmDVpZA
zErtHocnkq4rpWUhZiD0e6DiZmRVUn/EjeDeDaOJCd7PFhdBhA9jtO61XPJ45q+7
012LH92khYghEEgR910AQ+jecv5bfU+GOQAKBDpUfXMkcj9xWkE7YKOthlGsV5wy
1OR47bUoSJhLDnWsFMYCL5hp8iSWUmcbH5SOVfCSQC9wtEXrbfffhJ4C9ao5V+Vl
lzEuJjY9OEuzEYpMl2dGj7XiSCEiTZDDtkQlbU6hhx4ZXi3eJUHwCkr18GcRGEBD
bhW1G0PnMzo8A+38cYtMfG/JCvws75SAXwCHdnKrjDUDQeuRnJXXUkqcirKy42jt
4g2ZDXxh+BhB5+J1IWgfXrfoSoUBU0GFLkdAYerDzVBWT434q1mJ8AX34Z4ZVbN9
kF9ncKS2jqk=
=JaK8
-----END PGP SIGNATURE-----

--
kernel-team mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: Next kernel security release hell

Colin Watson
On Thu, Nov 17, 2005 at 01:55:14PM +0100, Fabio Massimo Di Nitto wrote:

> I have basically completed the packages that will hit warty/hoary/breezy in
> -security.
>
> There are two problems I need help to address:
>
> 1) this huge update requires deep testing, because the changes are intrusive and
> that means covering all 3 main arches on all 3 releases in as many flavours as
> possible. I simply don't have hw available to cover everything here.
>
> 2) due to the nature of the changes, there is a kernel ABI bump in all 3
> releases. AFAIK we never had this situation before and this drag in the problem
> of uploading linux-restricted-modules and linux-meta.

We never had ABI bumps in all releases before, but we've already had two
ABI bumps in hoary.

> We did never agree (or talk) if the rebuild of the latters should be done via
> - -security or -updates.
> I personally would like to see them entering the same suite (-security) as the
> kernel even if they do not contain security updates themself.

I agree; this makes sense.

> Colin: AFAIR warty did not build udeb from the kernel itself. I assume we will
> not need to update d-i, but for a person that has -security in his sources.list
> it will make one package unbuildable (the one that was doing deb -> udeb
> conversion and i can't remember the name)
> How should we address this problem IF we have to address it.

That would be linux-kernel-di-{amd64,i386,powerpc}-2.6 in warty. We
could (and arguably should) certainly upload these to -security as well
for completeness' sake, although as you say it's unlikely that we'll
update debian-installer itself.

--
Colin Watson                                       [[hidden email]]

--
kernel-team mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: Next kernel security release hell

Adam Conrad-3
In reply to this post by Fabio M. Di Nitto-2
Fabio Massimo Di Nitto wrote:

> 2) due to the nature of the changes, there is a kernel ABI bump in all 3
> releases. AFAIK we never had this situation before and this drag in
> the problem
> of uploading linux-restricted-modules and linux-meta.
> We did never agree (or talk) if the rebuild of the latters should be
> done via
> -security or -updates.
> I personally would like to see them entering the same suite
> (-security) as the
> kernel even if they do not contain security updates themself. Any
> objection?
> Better ideas?

We pretty much have to send all updates to the same suite, since some
people may not have -updates enabled, and we'd end up breaking their
setups.  This precedent has been set in the past (for instance, enigmail
updates to match new mozilla/thunderbird in -security).  If you
need/want my help getting lrm updated, ping me on IRC (tomorrow, I'm
about to go back to bed and nurse my cold some more)

... Adam


--
kernel-team mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: Next kernel security release hell

Fabio M. Di Nitto-2
Adam Conrad wrote:

> Fabio Massimo Di Nitto wrote:
>
>
>>2) due to the nature of the changes, there is a kernel ABI bump in all 3
>>releases. AFAIK we never had this situation before and this drag in
>>the problem
>>of uploading linux-restricted-modules and linux-meta.
>>We did never agree (or talk) if the rebuild of the latters should be
>>done via
>>-security or -updates.
>>I personally would like to see them entering the same suite
>>(-security) as the
>>kernel even if they do not contain security updates themself. Any
>>objection?
>>Better ideas?
>
>
> We pretty much have to send all updates to the same suite, since some
> people may not have -updates enabled, and we'd end up breaking their
> setups.  This precedent has been set in the past (for instance, enigmail
> updates to match new mozilla/thunderbird in -security).  If you
> need/want my help getting lrm updated, ping me on IRC (tomorrow, I'm
> about to go back to bed and nurse my cold some more)
>
> ... Adam

Yes i will need help with lrm. I am going to pre-publish some binaries for
testing with all -headers- stuff for you. I will ping you tomorrow when i will
have them somewhere usable.

Fabio

--
I'm going to make him an offer he can't refuse.

--
kernel-team mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/kernel-team