Gentoo Archives: gentoo-kernel

From: Tom Wijsman <TomWij@g.o>
To: gentoo-kernel@l.g.o
Cc: mpagano@g.o
Subject: Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release
Date: Thu, 21 Mar 2013 12:23:09
Message-Id: 20130321132235.42a0d14a@TOMWIJ-GENTOO
In Reply to: Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release by "Eric F. GARIOUD"
1 On Thu, 21 Mar 2013 12:43:29 +0100
2 "Eric F. GARIOUD" <eric-f.garioud@×××××××.fr> wrote:
4 > On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote:
5 >
6 > > Added: 1069_linux-3.0.70.patch
7 > > Added: 1040_linux-3.2.41.patch
8 > > Added: 1036_linux-3.4.37.patch
9 > > Added: 1003_linux-3.8.4.patch
10 >
11 > Should I understand from this that the gentoo-sources project gets no
12 > intention to port the security fixes back to the 3.7 and 3.6
13 > branches ?
15 Above commit merely reflects the upstream version bumps, you will not
16 want to draw assumptions based on a single commit.
18 As to address your question, it doesn't come down to intention but
19 rather to manpower. There are way too much security bugs for ~2
20 kernel maintainers to handle [1] while we have to deal with normal
21 kernel bugs [2], kernel version bumps, relevant packages and more...
23 It doesn't just stop with the lack of manpower on the kernel team, the
24 stabilization team can't provide the effort to stabilize all security
25 fixes; I'm considering to join amd64 and x86, but that's not enough.
27 Therefore, we currently only deal with the security fixes which can
28 allow a normal user to gain root privileges in one or another way;
29 these are the most severe and special attention is given to those.
31 Then, the other thing to consider would indeed be intention; if we were
32 able to do this, we would combine them into revision bumps so there
33 isn't anything else than the lack of manpower in the way, afaik.
35 [1]: List of kernel bugs assigned to security@g.o.
38 [2]: List of kernel bugs not assigned to security@g.o.
41 > In case of a positive answer and in case I would port the security
42 > fixes back to the 3.6 branch myself, would you accept to package &
43 > distribute the result as genpatches ?
44 >
46 There are two approaches here (I assume you are not a Gentoo Dev):
48 1) You could opt to become a Gentoo Developer and join the kernel team;
49 we can mentor you, you then no longer need to await proxy-maint.
51 2) If possible by policy, we could ask for you to get explicit access
52 to genpatches such that you can add these patches and then when there
53 are a sufficient amount in a branch we can then release a new genpatches
54 for that branch.
56 A third approach would be sending patches, but that would introduce a
57 lot of unnecessary communication which burdens us both with extra work.
59 Please note that fixing these security bugs go further than just
60 maintaining EOL branches; the LTS branches also need to be checked,
61 it might not always guaranteed upstream ports back everything to that.
64 With kind regards,
66 Tom Wijsman (TomWij)
67 Gentoo Developer
69 E-mail address : TomWij@g.o
70 GPG Public Key : 6D34E57D
71 GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release "Eric F. GARIOUD" <eric-f.garioud@×××××××.fr>