[Secure-testing-team] [cut-team] For discussion: security support strategy for the wheezy kernel

[Michael Gilbert]

On Sat, 19 Feb 2011 21:39:03 +0000 Ben Hutchings wrote:
> > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> > 
> >   Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> >   Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> >   Conclusion: hypothesis verified
> >   
> >   Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> >   Evidence: to be collected # vulnerabilities in squeeze and wheezy
> >   Conclusion: to be determined
> 
> This experiment does not require that the propagation of kernel packages
> into testing is changed.

OK, revised hypothesis 1: using 2.6.32 in wheezy for the first year of its development
                          will result in fewer vulnerabilities

  Criteria: fewer vulnerabilities in wheezy/2.6.32 vs unstable kernel over 1 year period
  Evidence: to be collected # vulnerabilities affecting 2.6.32 and kernel in
            unstable at the same time
  Conclusion: to be determined

> > I can't imagine anyone else being put through such a arduous process
> > to try an experiment for a couple months.  Why does it have to be so
> > difficult?
> 
> Because this experiment would involve many thousands of users, and you
> have to convince other developers that the benefit to these users may be
> worth the cost.

OK, are you sufficiently convinced to give me a chance at this
experiment, at least for a couple months???

Best wishes,
Mike