[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#851702: marked as done (linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels)

Your message dated Tue, 17 Jan 2017 19:54:49 +0000
with message-id <1484682889.2998.61.camel@decadent.org.uk>
and subject line Re: Bug#851702: linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels
has caused the Debian Bug report #851702,
regarding linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
851702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851702
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: linux-image-amd64
Version: 4.8+77~bpo8+1
Severity: critical
Tags: security
Justification: root security hole

Hi,

As of now two flavours of Linux kernels are released. The default ones are
signed ones while other unsigned kernels are available.

The problem is that there's a significant delay between the release of the two
flavours, often more than one week, which exposes users of signed kernels to
critical vulnerabilities addressed in the newer kernel releases. The only possible workaround is to switch on
-unsigned linux kernels, but this is messy and clearly unwanted.

I've raised an issue on BPO mailing list here : https://lists.debian.org
/debian-backports/2017/01/msg00033.html (the issue also applies to testing and
unstable).

The answer is basically that :
1/ - unsigned kernels are only available for testing purposes
2/ - it is not possible to build simultaneously signed and unsigned kernels.

I'm okay with the latter as long as there's only a couple of hours between the
two kernel releases. Now if we must wait more than one week to get the signed
image it clearly reveals there's an issue in the signed image build process
which must be addressed before Stretch release.

Otherwise a possibility would be to use by default -unsigned image and create
an optional linux-image-amd64-signed metapackage like the one which exists for
grsec.



-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-amd64 depends on:
ii  linux-image-4.8.0-0.bpo.2-amd64-unsigned [linux-image-4.8.  4.8.15-2~bpo8+1

linux-image-amd64 recommends no packages.

linux-image-amd64 suggests no packages.

-- no debconf information


--- End Message ---
--- Begin Message --- 
On Tue, 2017-01-17 at 20:17 +0100, Julien Aubin wrote:
> Package: linux-image-amd64
> Version: 4.8+77~bpo8+1
> Severity: critical
> Tags: security
> Justification: root security hole

Let's not play BTS wars.

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert
Camus

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
Reply to: