[cut-team] For discussion: security support strategy for the wheezy kernel

Lucas Nussbaum lucas at lucas-nussbaum.net
Sun Feb 20 07:24:32 UTC 2011 

On 19/02/11 at 17:40 -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 21:39:03 +0000 Ben Hutchings wrote:
> > > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> > > 
> > >   Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> > >   Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > >   Conclusion: hypothesis verified
> > >   
> > >   Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> > >   Evidence: to be collected # vulnerabilities in squeeze and wheezy
> > >   Conclusion: to be determined
> > 
> > This experiment does not require that the propagation of kernel packages
> > into testing is changed.
> 
> OK, revised hypothesis 1: using 2.6.32 in wheezy for the first year of its development
>                           will result in fewer vulnerabilities
> 
>   Criteria: fewer vulnerabilities in wheezy/2.6.32 vs unstable kernel over 1 year period
>   Evidence: to be collected # vulnerabilities affecting 2.6.32 and kernel in
>             unstable at the same time
>   Conclusion: to be determined
> 
> > > I can't imagine anyone else being put through such a arduous process
> > > to try an experiment for a couple months.  Why does it have to be so
> > > difficult?
> > 
> > Because this experiment would involve many thousands of users, and you
> > have to convince other developers that the benefit to these users may be
> > worth the cost.
> 
> OK, are you sufficiently convinced to give me a chance at this
> experiment, at least for a couple months???

I don't understand why you think that testing or CUT users want an "old"
kernel, but want to run recent software for everything else on their
system.

Also, you need to see the downsides of this proposed experiment. By not
upgrading the kernel in testing, you will limit the amount of testing
that the new kernel will receive. That could, in turn, cause more bugs
to be found late in the wheezy release process, making it harder to
reach a newer stable kernel.
Or are you suggesting that we stay with 2.6.32 forever? ;)

- Lucas

More information about the cut-team mailing list