[cut-team] [Secure-testing-team] For discussion: security support strategy for the wheezy kernel

Bastian Blank waldi at debian.org
Sat Feb 19 23:25:27 UTC 2011


On Sat, Feb 19, 2011 at 04:58:50PM -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 22:28:17 +0100 Bastian Blank wrote:
> > On Sat, Feb 19, 2011 at 03:55:03PM -0500, Michael Gilbert wrote:
> > > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> > >   Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > Actually you did not yet proof this. Please do it.
> I did verify it for the timeframe of the LWN study.

The LWN study is for a wrong time frame. We speak about .26-.32 here,
not .33-.36. Also it does not take stable kernel releases into account.

> > Hypothesis 3: Testing users wants old software
> >   Criteria: to be determined
> >   Evidence: easy
> >   Conclusion: sorry, no chance
> Users have a variety of desires.

Yes. Stable users uses stable. So you have to show that a majority of
users uses testing not to get new hardware support/new software.

> > > I can't imagine anyone else being put through such a arduous process
> > > to try an experiment for a couple months.  Why does it have to be so
> > > difficult?
> > You can run you little experiment. For blocking packages please persuade
> > the release team as responsible entity within Debian.
> Isn't it the kernel team that I need to convince? That's what this
> discussion is all about.

You were not able to convince one person of the kernel team. And I still
don't see what this experiment would provide for the _users_ (I
explicitely exclude your effort, because our priority are the users and
not your experiment).

Bastian

-- 
Time is fluid ... like a river with currents, eddies, backwash.
		-- Spock, "The City on the Edge of Forever", stardate 3134.0



More information about the cut-team mailing list