| 1 |
Hi! |
| 2 |
|
| 3 |
On Fri, Jul 11, 2014 at 07:55:02AM -0400, Anthony G. Basile wrote: |
| 4 |
> > Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj? |
| 5 |
> |
| 6 |
> Anyone = me. You can address these concerns to me personally as I am |
| 7 |
> responsible. Bugs are best so we have a public record. |
| 8 |
> |
| 9 |
> I am aware of the issue. There have been too many rapid stabilizations |
| 10 |
> because of CVE-2014-3153 and other issues. It doesn't help if I |
| 11 |
> stabilize a kernel which panics on someone's hardware that I can't test |
| 12 |
> on --- security issue or not. Been there done that. There is a balance |
| 13 |
> of risk which your statement does not take into account. |
| 14 |
|
| 15 |
I'm sorry if my question sounds offensive to you, this wasn't intentional. |
| 16 |
|
| 17 |
I understand the risks, but: |
| 18 |
- Gentoo is usually slower than other distributions on this, which is sad |
| 19 |
- Hardened kernels are special ones - if people use hardened it means they |
| 20 |
bothers about security more than average linux user, so they more likely |
| 21 |
to accept the risks you mentioned |
| 22 |
- If you (I mean Gentoo devs in general, not personally you) didn't |
| 23 |
release or stabilize such a critical security fix because of some |
| 24 |
reasons (not well tested on some hardware, known to have issues on some |
| 25 |
hardware, etc.) - I think you should ASAP release GLSA or news or |
| 26 |
whatever (announcement in this maillist, at last) to force emerge to |
| 27 |
notify users about EXACT REASONS why this security fix isn't stabilized |
| 28 |
yet - to let THEM decide is these reasons apply to THEIR hardware and is |
| 29 |
they ready to take such risk and update to ~ARCH (or at least give them |
| 30 |
idea about when it expected to be stabilized and, if any, possible |
| 31 |
recommendations how to temporary protect against this security issue |
| 32 |
until new kernel will be stabilized) |
| 33 |
|
| 34 |
Last point doesn't mean you should do extra work/research etc. - just |
| 35 |
share information you already have (reasons to not stabilize right now) |
| 36 |
and keep people updated about changes/progress. |
| 37 |
|
| 38 |
-- |
| 39 |
WBR, Alex. |
Archives