Re: Sarge kernels and Volatile
On Tue, 2005-08-02 at 18:10 -0400, Michael Stone wrote:
> On Tue, Aug 02, 2005 at 03:43:42PM -0400, Andres Salomon wrote:
> >until fairly recently; we've gotten conflicting answers ranging from "We
> >should provide kernel updates and the security team will use them
> >verbatim"
>
> generally the security team at least glances at what's released in a
> dsa.
>
> >to "Don't even bother providing an update, you're just wasting
> >your time".
>
> I have no idea who said that.
>
There were a range of answers from all sorts of folks; RMs, QA people,
etc. No two were alike.
> >problems and build (and work) on all 11 archs. We need to know just how
> >much leeway we have with our update; can we include an ABINAME bump?
>
> We've done it before when absolutely necessary. I'd expect that to be a
> last resort, because it'll definately screw people who expect apt-get to
> magically upgrade them.
We've gone over this with joeyh, he thinks it's ok to do. I do believe
it's absolutely necessary.
>
> >Can we include other important fixes?
>
> Not in a security update, unless it's security-critical. You can argue
> with the stable release manager over additional changes to a package in
> sarge-proposed-updates.
>
Ok, thanks.
> >of security fixes that don't break the ABI? Will you leave it up to our
> >judgement as to what security fixes to include, or will you have to ok
> >each and every patch?
>
> Expect it to be reviewed, but as long as you don't make any mistakes
> your judgement should be fine. :)
>
Then the process will probably be to release a new kernel-source-2.6.8
(and possibly kernel-image-2.6.8-i386), get it ok'd by the security
team, and then do rebuilds of the rest of the kernel-image packages.
Ditto for 2.4.27.
> >As for taking responsibility for the security updates, I believe Horms
> >is more than willing
>
> He's the one who told me nobody was coordinating kernel security
> updates...
Yes, because 2 months ago, that was the case.
Reply to: