[Secure-testing-team] Kernel vulnerabilities in sarge-checks

[Dominic Hargreaves]

On Tue, Mar 22, 2005 at 02:24:49PM +0100, Stefan Fritsch wrote:

> I think for now (i.e. before the freeze) we can leave this to the 
> kernel team. When we actually get near to release we should recheck 
> all kernel images. As there are several images per architecture this 
> would create a lot of bug reports and quite a bit of additional work 
> for the kernel team and us.

Just to add to my previous messages - some points that I didn't address
earlier.

As far as waiting until the freeze goes: my take on that is that in
order to be ready for a freeze, one needs to get as much as possible
ready beforehand anyway. I haven't spoken to the security team, but for
example one thing that might happen is that once their autobuilder is
finally ready they may want to test it with some kernel packages, and
having information available for them to use at that time hopefully
would help them. I'd like there to be information available on the
state of the archive at *all* times, not just once we've frozen.

I've taken on board your point about the kernel maintainers though. I
will for the time being assume that they are on top of things, and not
nag them.

Sorry if it seems like I ignored your response by going ahead and adding
things to the list anyway, but I hope I've explained my reasoning :)

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)