[Secure-testing-team] [cut-team] For discussion: security support strategy for the wheezy kernel

Sat Feb 19 19:32:08 UTC 2011

On Sat, 2011-02-19 at 14:04 -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote:
> 
> > On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote:
[...]
> > > 2. Improve testing security by reducing the amount of vulnerabilities
> > > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as
> > > described previously)
> > 
> > Huh?  I don't see any source for this figure.
> 
> http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html
> http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html

I read those and I can't see any source for comparison between 2.6.32
and 2.6.37.  In fact you say that 'squeeze (2.6.32) was vulnerable to
98% (51 out of 52)' which implies only 2% fewer vulnerabilities.

> > [...]
> > > > (which is also important for new hardware support).
> > > 
> > > This seems to be a meme that continues to persist without much in the
> > > way of evidence.  It certainly may have been true in the past, but I
> > > think things have changed for the better with the advent of stable
> > > upstream support (i.e. support for new hardware is backported to the
> > > stable kernels).
> > > 
> > > Also, I've read about 10 reviews of squeeze, and none of them have
> > > indicated any problems with hardware support (except for missing
> > > support for non-free firmware) even though that uses a kernel initially
> > > released almost a year and a half ago.
> > [...]
> > 
> > I can assure you there is already a substantial backlog of new hardware
> > that is currently unsupported in squeeze.  For example, any current ATI
> > graphics chip.  And this is at the start of squeeze's lifetime, not the
> > end.
> 
> I've been using ati cards exclusively for some time now; although I've
> also been willing to install the fglrx driver for full support ;)

Then I really can't take your concern for security seriously.  The
changelog for fglrx-source has no mention of security fixes, and I don't
for one moment believe there are no vulnerabilities in it.

> Also, the xorg vesa driver does work.

Seems like a waste of money to buy an ATI card and then use it as a dumb
framebuffer.

> Again, if the user is interested in such new developments, they will
> need to be willing to learn how to run an unstable system.

I thought that users interested in new stuff were supposed to run CUT.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110219/dbf12abe/attachment.pgp>