[Secure-testing-team] [cut-team] For discussion: security support strategy for the wheezy kernel
Bastian Blank
waldi at debian.org
Sat Feb 19 21:28:17 UTC 2011
On Sat, Feb 19, 2011 at 03:55:03PM -0500, Michael Gilbert wrote:
> Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
>
> Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> Conclusion: hypothesis verified
Actually you did not yet proof this. Please do it.
> Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> Evidence: to be collected # vulnerabilities in squeeze and wheezy
> Conclusion: to be determined
>
> Hypothesis 2: using an older kernel version makes less work to provide CUT
>
> Criteria: how often CUT target release date is met
> Evidence: to be collected monthly release date by retaining 2.6.32 and monthly
> for standard unstable->testing transitions
> (note: requires a 2.6.32-only period for reference)
> Conclusion: to be determined
Hypothesis 3: Testing users wants old software
Criteria: to be determined
Evidence: easy
Conclusion: sorry, no chance
> I can't imagine anyone else being put through such a arduous process
> to try an experiment for a couple months. Why does it have to be so
> difficult?
You can run you little experiment. For blocking packages please persuade
the release team as responsible entity within Debian.
Bastian
--
The joys of love made her human and the agonies of love destroyed her.
-- Spock, "Requiem for Methuselah", stardate 5842.8
More information about the Secure-testing-team
mailing list