Your message dated Tue, 17 Jan 2017 19:54:49 +0000 with message-id <1484682889.2998.61.camel@decadent.org.uk> and subject line Re: Bug#851702: linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels has caused the Debian Bug report #851702, regarding linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 851702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851702 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels
- From: Julien Aubin <jul.aubin@laposte.net>
- Date: Tue, 17 Jan 2017 20:17:31 +0100
- Message-id: <[🔎] CAB=k8W+U6QFeND_-VqohRbQcxj-kayUrCoY3K78vKQAeyUjPBA@mail.gmail.com>
Package: linux-image-amd64Version: 4.8+77~bpo8+1Severity: criticalTags: securityJustification: root security holeHi,As of now two flavours of Linux kernels are released. The default ones aresigned ones while other unsigned kernels are available.The problem is that there's a significant delay between the release of the twoflavours, often more than one week, which exposes users of signed kernels tocritical vulnerabilities addressed in the newer kernel releases. The only possible workaround is to switch on-unsigned linux kernels, but this is messy and clearly unwanted.I've raised an issue on BPO mailing list here : https://lists.debian.org/debian-backports/2017/01/msg00033.html (the issue also applies to testing andunstable).The answer is basically that :1/ - unsigned kernels are only available for testing purposes2/ - it is not possible to build simultaneously signed and unsigned kernels.I'm okay with the latter as long as there's only a couple of hours between thetwo kernel releases. Now if we must wait more than one week to get the signedimage it clearly reveals there's an issue in the signed image build processwhich must be addressed before Stretch release.Otherwise a possibility would be to use by default -unsigned image and createan optional linux-image-amd64-signed metapackage like the one which exists forgrsec.-- System Information:Debian Release: 8.7APT prefers stable-updatesAPT policy: (500, 'stable-updates'), (500, 'stable')Architecture: amd64 (x86_64)Foreign Architectures: i386Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores)Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)Shell: /bin/sh linked to /bin/dashInit: systemd (via /run/systemd/system)Versions of packages linux-image-amd64 depends on:ii linux-image-4.8.0-0.bpo.2-amd64-unsigned [linux-image-4.8. 4.8.15-2~bpo8+1linux-image-amd64 recommends no packages.linux-image-amd64 suggests no packages.-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 851702-done@bugs.debian.org
- Subject: Re: Bug#851702: linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Tue, 17 Jan 2017 19:54:49 +0000
- Message-id: <1484682889.2998.61.camel@decadent.org.uk>
- In-reply-to: <[🔎] CAB=k8W+U6QFeND_-VqohRbQcxj-kayUrCoY3K78vKQAeyUjPBA@mail.gmail.com>
- References: <[🔎] CAB=k8W+U6QFeND_-VqohRbQcxj-kayUrCoY3K78vKQAeyUjPBA@mail.gmail.com>
On Tue, 2017-01-17 at 20:17 +0100, Julien Aubin wrote: > Package: linux-image-amd64 > Version: 4.8+77~bpo8+1 > Severity: critical > Tags: security > Justification: root security hole Let's not play BTS wars. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert CamusAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---