| 1 |
On Thu, 21 Mar 2013 12:43:29 +0100 |
| 2 |
"Eric F. GARIOUD" <eric-f.garioud@×××××××.fr> wrote: |
| 3 |
|
| 4 |
> On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote: |
| 5 |
> |
| 6 |
> > Added: 1069_linux-3.0.70.patch |
| 7 |
> > Added: 1040_linux-3.2.41.patch |
| 8 |
> > Added: 1036_linux-3.4.37.patch |
| 9 |
> > Added: 1003_linux-3.8.4.patch |
| 10 |
> |
| 11 |
> Should I understand from this that the gentoo-sources project gets no |
| 12 |
> intention to port the security fixes back to the 3.7 and 3.6 |
| 13 |
> branches ? |
| 14 |
|
| 15 |
Above commit merely reflects the upstream version bumps, you will not |
| 16 |
want to draw assumptions based on a single commit. |
| 17 |
|
| 18 |
As to address your question, it doesn't come down to intention but |
| 19 |
rather to manpower. There are way too much security bugs for ~2 |
| 20 |
kernel maintainers to handle [1] while we have to deal with normal |
| 21 |
kernel bugs [2], kernel version bumps, relevant packages and more... |
| 22 |
|
| 23 |
It doesn't just stop with the lack of manpower on the kernel team, the |
| 24 |
stabilization team can't provide the effort to stabilize all security |
| 25 |
fixes; I'm considering to join amd64 and x86, but that's not enough. |
| 26 |
|
| 27 |
Therefore, we currently only deal with the security fixes which can |
| 28 |
allow a normal user to gain root privileges in one or another way; |
| 29 |
these are the most severe and special attention is given to those. |
| 30 |
|
| 31 |
Then, the other thing to consider would indeed be intention; if we were |
| 32 |
able to do this, we would combine them into revision bumps so there |
| 33 |
isn't anything else than the lack of manpower in the way, afaik. |
| 34 |
|
| 35 |
[1]: List of kernel bugs assigned to security@g.o. |
| 36 |
https://bugs.gentoo.org/buglist.cgi?quicksearch=Kernel%20assignee%3Asecurity%40gentoo.org |
| 37 |
|
| 38 |
[2]: List of kernel bugs not assigned to security@g.o. |
| 39 |
https://bugs.gentoo.org/buglist.cgi?cmdtype=runnamed&namedcmd=Kernel&list_id=1621534 |
| 40 |
|
| 41 |
> In case of a positive answer and in case I would port the security |
| 42 |
> fixes back to the 3.6 branch myself, would you accept to package & |
| 43 |
> distribute the result as genpatches ? |
| 44 |
> |
| 45 |
|
| 46 |
There are two approaches here (I assume you are not a Gentoo Dev): |
| 47 |
|
| 48 |
1) You could opt to become a Gentoo Developer and join the kernel team; |
| 49 |
we can mentor you, you then no longer need to await proxy-maint. |
| 50 |
|
| 51 |
2) If possible by policy, we could ask for you to get explicit access |
| 52 |
to genpatches such that you can add these patches and then when there |
| 53 |
are a sufficient amount in a branch we can then release a new genpatches |
| 54 |
for that branch. |
| 55 |
|
| 56 |
A third approach would be sending patches, but that would introduce a |
| 57 |
lot of unnecessary communication which burdens us both with extra work. |
| 58 |
|
| 59 |
Please note that fixing these security bugs go further than just |
| 60 |
maintaining EOL branches; the LTS branches also need to be checked, |
| 61 |
it might not always guaranteed upstream ports back everything to that. |
| 62 |
|
| 63 |
|
| 64 |
With kind regards, |
| 65 |
|
| 66 |
Tom Wijsman (TomWij) |
| 67 |
Gentoo Developer |
| 68 |
|
| 69 |
E-mail address : TomWij@g.o |
| 70 |
GPG Public Key : 6D34E57D |
| 71 |
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |
Archives