[Secure-testing-team] Kernel vulnerabilities in sarge-checks

[Dominic Hargreaves]

On Tue, Mar 22, 2005 at 02:24:49PM +0100, Stefan Fritsch wrote:

> I think for now (i.e. before the freeze) we can leave this to the 
> kernel team. When we actually get near to release we should recheck 
> all kernel images. As there are several images per architecture this 
> would create a lot of bug reports and quite a bit of additional work 
> for the kernel team and us.

In the interests of transparency I think it is important that we provide
an accurate picture of the current state of testing - and this means not
hiding vulnerabilities that exist in testing.

The additional work on the part of the kernel maintainers would be
limited to the adminstrivia of having bugs filed on their packages, and
as far as I can see this would mostly be restricted to one bug per arch
as most archs only have one source package for kernel-image. This is
surely something that should be done anyway.

The work is achievable on our side - and I'm offering to do it. If there
is really opposition to filing the relevant bugs on kernel-image
packages (which sounds ludicruous to me when it comes to security
vulnerabilities) then we can simply not do that, but continue to track
things in sarge-checks.

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)