package: fai-kernels severity: important Hi Thomas,
to make life easier for the security team(s) to provide security updates for the various kernel packages, please provide kernel-source-package with abi versions (2.4.27-3 not 2.4.27) in package description of fai-kernels (or in the name of the kernel-debs the package contains). Log from #debian-boot: <ths> vorlon: mips/mipsel kernel can also use nfs-root, and for i386 there are the FAI kernels. :-) <vorlon> ths: <whine> what does the fai-kernels package contain? <vorlon> this is the first time I've noticed this completely unversioned package name... <vorlon> and the version number on the package is equally useless... <ths> vorlon: Kernels for FAI installs. The NFS support is one of the main differences AFAIK. <vorlon> ths: yes, but what source are they based on? <ths> vorlon: Ask Thomas Lange what he did with it. :-) <vorlon> I don't look forward to telling Joey that he has to provide security support for a kernel package that doesn't even bother telling people what kernel version it's based on... <p2-mate> vorlon: they are only used for installation <vorlon> p2-mate: but we still have to deal with remote vulns <vorlon> ? <ths> p2-mate: They could also be used for the running system, that's an admin decision. <p2-mate> vorlon: I would assume people doing network installs not using internet connected networks for that <ths> p2-mate: Every university pool does. <Kamion> not a terribly safe assumption <vorlon> p2-mate: ugh, that's the kind of assumption that leaves us with egg on our face. <p2-mate> ths: that's a horribly bad idea <Kamion> we just cannot get away with un-security-updated kernels nowadays <Kamion> any scheme that assumes we can will break at some point <Q_> p2-mate: amd64 does not have fai kernels in debian, it's i386 only. <p2-mate> Q_: FAI has them <h01ger> vorlon: you could file a bug against fai-kernels requesting kernel version number in the package name ;-) "but" the package contains a 2.4 and a 2.6 kernel... at the moment, there are no fai-kernels for !i386 available in debian. (i have ppc ones, someone else for alpha, on the fai-homepage there is one for amd64...) <h01ger> there are also patches to uses normal (aka debian default) kernels with initrds for fai - but this patch has not been applied. afaik also because not break anything so short before a release... <h01ger> anyway, i really suggest talking to thomas lange about it... <h01ger> vorlon,Kamion: so you would rather suggest fai-kernel-i386-2.4.27-3 and fai-kernel-i386-2.6.8-x ? <Kamion> h01ger: not bothered as long as the version number's clear and it's trivial for the security team to find out what's in it and to update <Kamion> h01ger: although the package name should not change on each version; don't want to require NEW processing aall the time <Kamion> -a <ths> Kamion: I think the module ABI version should be included. <ths> (I guess that's what -3, -x is.) <Kamion> ah, ok, yeah, sure <h01ger> fai-kernel contains two debs: kernel-image-2.4.27-fai_1_i386.deb and kernel-image-2.6.8-fai_1_i386.deb - afaik build from the corresponding kernel source packages - so is this enough ? <Kamion> no, there's no indication of which kernel ABI those are, or which version, so we can't automatically tell whether they're security-updated <Kamion> all that gives us is the upstream kernel version, which these days is next to useless <h01ger> yes, sorry, i've messed the fai-number with the abi number.. <h01ger> i'll file a bug report - if you don't have allready. ok ? <Kamion> h01ger: sure <h01ger> vorlon: i'll file a bug today against fai-kernels requesting to name the kernel-source-package(s) with abi version in the description. mainly providing this irc log as bug description. Also the package only depends on kernel-source-2.4.27 but not 2.6.8. Please also fix this. (If kernel-source-2.6.8 is installed, fai-kernels builds from source fine.) regards, Holger
pgpNauuBUHjUt.pgp
Description: PGP signature
