1 |
Hi! |
2 |
|
3 |
On Fri, Jul 11, 2014 at 07:55:02AM -0400, Anthony G. Basile wrote: |
4 |
> > Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj? |
5 |
> |
6 |
> Anyone = me. You can address these concerns to me personally as I am |
7 |
> responsible. Bugs are best so we have a public record. |
8 |
> |
9 |
> I am aware of the issue. There have been too many rapid stabilizations |
10 |
> because of CVE-2014-3153 and other issues. It doesn't help if I |
11 |
> stabilize a kernel which panics on someone's hardware that I can't test |
12 |
> on --- security issue or not. Been there done that. There is a balance |
13 |
> of risk which your statement does not take into account. |
14 |
|
15 |
I'm sorry if my question sounds offensive to you, this wasn't intentional. |
16 |
|
17 |
I understand the risks, but: |
18 |
- Gentoo is usually slower than other distributions on this, which is sad |
19 |
- Hardened kernels are special ones - if people use hardened it means they |
20 |
bothers about security more than average linux user, so they more likely |
21 |
to accept the risks you mentioned |
22 |
- If you (I mean Gentoo devs in general, not personally you) didn't |
23 |
release or stabilize such a critical security fix because of some |
24 |
reasons (not well tested on some hardware, known to have issues on some |
25 |
hardware, etc.) - I think you should ASAP release GLSA or news or |
26 |
whatever (announcement in this maillist, at last) to force emerge to |
27 |
notify users about EXACT REASONS why this security fix isn't stabilized |
28 |
yet - to let THEM decide is these reasons apply to THEIR hardware and is |
29 |
they ready to take such risk and update to ~ARCH (or at least give them |
30 |
idea about when it expected to be stabilized and, if any, possible |
31 |
recommendations how to temporary protect against this security issue |
32 |
until new kernel will be stabilized) |
33 |
|
34 |
Last point doesn't mean you should do extra work/research etc. - just |
35 |
share information you already have (reasons to not stabilize right now) |
36 |
and keep people updated about changes/progress. |
37 |
|
38 |
-- |
39 |
WBR, Alex. |