[Secure-testing-team] Re: Moving forward with the 2.4.27 and 2.6.8
kernels
Horms
horms at debian.org
Thu Aug 18 09:51:13 UTC 2005
On Thu, Aug 18, 2005 at 12:55:24AM -0700, Steve Langasek wrote:
> Hi Horms,
>
> The plans you've described all sound good. I'm glad to see some
> movement on the question of kernel updates for sarge.
>
> On Tue, Aug 16, 2005 at 03:31:21PM +0900, Horms wrote:
>
> > Back to releases. After 2.4.27-11 is out, which should be very soon,
> > I would like to take what we have in SVN for both 2.6.8 and 2.4.27,
> > strip out all the non-security patches since Sarge (2.6.8-16 and
> > 2.4.27-10) and make a security release. When I say strip out, I
> > mean comment out the changelog line and the patch entry in the
> > series file. Thats all. There doesn't seem any reason to hide
> > other changes that have been included in SVN. Nor any reason
> > not to include the patches in the release - even if they aren't applied.
> > In short, this should make producing a security release a simple matter
> > of reading the changelog, adding a dozen or so # characters,
> > tagging and building.
>
> You'll have to get the security team's ok on this, though; I understand
> that you're coming from the position of wanting it to be easy to build
> these security updates off of the current tree, but the security team is
> definitely going to be coming at it from the other direction -- wanting
> to have a handle on what the differences are compared with the current
> stable package.
All the patches are broken out. So just because a patch is presant,
doesn't mean its applied. And if it isn't applied, then it isn't
included in the code that is build. But I can understand that the
security team might be more comfortable in ommitting the patches.
Obviously the security team needs to be involved. However
CCing them on emails seems largely fruitless. Do you have
any ideas on how to work with them to make this release happen?
It is becoming quite frustrating to say the least.
> > Of course as many arches need to do builds as possible. And as I
> > mentioned above, I am a little unsure about what queue to use for
> > security updates. Which is why I am writing this message.
>
> I think I saw that you figured this out in a later message, but just to
> confirm, the builds will need to go to the stable-security queue on
> security.debian.org, and need to be approved by the security team
> before being uploaded.
Yeah, I read up on that after I sent this message.
> > After all of that I'd like to look at getting some packages together
> > for a Sarge update (i.e. Sarge r1). Thats probably just a matter
> > of uploadin to the right queue. Though it would be nice to know
> > about what the planned timing for releasing r1 is, as it would
> > be nice to make sure a kernel came out a bit before the release.
>
> Yes, for this you should be able to upload to the "stable" queue on
> ftp-master.debian.org at any time. Your r1 updates should have a later
> version number than your proposed security updates, so that the one with
> the more complete set of fixes takes precedence. As far as a schedule
> for r1, you'd need to ask Joey Schulze.
Ok, I've CCed him on this mail to try and get his attention.
--
Horms
More information about the Secure-testing-team
mailing list