1 |
On Thu, 21 Mar 2013 12:43:29 +0100 |
2 |
"Eric F. GARIOUD" <eric-f.garioud@×××××××.fr> wrote: |
3 |
|
4 |
> On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote: |
5 |
> |
6 |
> > Added: 1069_linux-3.0.70.patch |
7 |
> > Added: 1040_linux-3.2.41.patch |
8 |
> > Added: 1036_linux-3.4.37.patch |
9 |
> > Added: 1003_linux-3.8.4.patch |
10 |
> |
11 |
> Should I understand from this that the gentoo-sources project gets no |
12 |
> intention to port the security fixes back to the 3.7 and 3.6 |
13 |
> branches ? |
14 |
|
15 |
Above commit merely reflects the upstream version bumps, you will not |
16 |
want to draw assumptions based on a single commit. |
17 |
|
18 |
As to address your question, it doesn't come down to intention but |
19 |
rather to manpower. There are way too much security bugs for ~2 |
20 |
kernel maintainers to handle [1] while we have to deal with normal |
21 |
kernel bugs [2], kernel version bumps, relevant packages and more... |
22 |
|
23 |
It doesn't just stop with the lack of manpower on the kernel team, the |
24 |
stabilization team can't provide the effort to stabilize all security |
25 |
fixes; I'm considering to join amd64 and x86, but that's not enough. |
26 |
|
27 |
Therefore, we currently only deal with the security fixes which can |
28 |
allow a normal user to gain root privileges in one or another way; |
29 |
these are the most severe and special attention is given to those. |
30 |
|
31 |
Then, the other thing to consider would indeed be intention; if we were |
32 |
able to do this, we would combine them into revision bumps so there |
33 |
isn't anything else than the lack of manpower in the way, afaik. |
34 |
|
35 |
[1]: List of kernel bugs assigned to security@g.o. |
36 |
https://bugs.gentoo.org/buglist.cgi?quicksearch=Kernel%20assignee%3Asecurity%40gentoo.org |
37 |
|
38 |
[2]: List of kernel bugs not assigned to security@g.o. |
39 |
https://bugs.gentoo.org/buglist.cgi?cmdtype=runnamed&namedcmd=Kernel&list_id=1621534 |
40 |
|
41 |
> In case of a positive answer and in case I would port the security |
42 |
> fixes back to the 3.6 branch myself, would you accept to package & |
43 |
> distribute the result as genpatches ? |
44 |
> |
45 |
|
46 |
There are two approaches here (I assume you are not a Gentoo Dev): |
47 |
|
48 |
1) You could opt to become a Gentoo Developer and join the kernel team; |
49 |
we can mentor you, you then no longer need to await proxy-maint. |
50 |
|
51 |
2) If possible by policy, we could ask for you to get explicit access |
52 |
to genpatches such that you can add these patches and then when there |
53 |
are a sufficient amount in a branch we can then release a new genpatches |
54 |
for that branch. |
55 |
|
56 |
A third approach would be sending patches, but that would introduce a |
57 |
lot of unnecessary communication which burdens us both with extra work. |
58 |
|
59 |
Please note that fixing these security bugs go further than just |
60 |
maintaining EOL branches; the LTS branches also need to be checked, |
61 |
it might not always guaranteed upstream ports back everything to that. |
62 |
|
63 |
|
64 |
With kind regards, |
65 |
|
66 |
Tom Wijsman (TomWij) |
67 |
Gentoo Developer |
68 |
|
69 |
E-mail address : TomWij@g.o |
70 |
GPG Public Key : 6D34E57D |
71 |
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |