[cut-team] For discussion: security support strategy for the wheezy kernel

Michael Gilbert michael.s.gilbert at gmail.com
Sat Feb 19 19:04:22 UTC 2011 

On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote:

> On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote:
> [...]
> > Also, this solution isn't just about CUT stability.  As I've been
> > describing, it is about killing about 2 birds with one stone:
> > 
> > 1. Make testing always installable by retaining a stable/well-tested
> > kernel and associated d-i infrastructure
> 
> We do backport new hardware support to stable but we do not have the
> resources (time and equipment) to cover everything.  So this would mean
> that neither stable nor testing would be installable on some newer
> hardware.

Right, and in those rare cases, the user will have to sufficiently
educate themselves to be able to use unstable.

> > 2. Improve testing security by reducing the amount of vulnerabilities
> > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as
> > described previously)
> 
> Huh?  I don't see any source for this figure.

http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html
http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html

> [...]
> > > (which is also important for new hardware support).
> > 
> > This seems to be a meme that continues to persist without much in the
> > way of evidence.  It certainly may have been true in the past, but I
> > think things have changed for the better with the advent of stable
> > upstream support (i.e. support for new hardware is backported to the
> > stable kernels).
> > 
> > Also, I've read about 10 reviews of squeeze, and none of them have
> > indicated any problems with hardware support (except for missing
> > support for non-free firmware) even though that uses a kernel initially
> > released almost a year and a half ago.
> [...]
> 
> I can assure you there is already a substantial backlog of new hardware
> that is currently unsupported in squeeze.  For example, any current ATI
> graphics chip.  And this is at the start of squeeze's lifetime, not the
> end.

I've been using ati cards exclusively for some time now; although I've
also been willing to install the fglrx driver for full support ;)
Also, the xorg vesa driver does work.

Again, if the user is interested in such new developments, they will
need to be willing to learn how to run an unstable system.

Best wishes,
Mike

More information about the cut-team mailing list