Hi! On Thu, 2024-04-04 at 23:13:03 +0200, Sebastian Andrzej Siewior wrote: > On 2024-04-04 00:14:27 [+0200], Guillem Jover wrote: > > I initially was thinking that a conditionally triggered activation > > when upgrading from the affected versions would be sufficient, but if > > people have already upgraded, then that will still leave them with the > > malicious stuff in their initramfs. > > Do you think about a one-time trigger to ensure the 5.6 release is gone > or to keep it?
Given that we do not have a release barrier to assume people have upgraded to a known state, and are dealing with the rolling testing and sid releases, I'd say probably at least until the release of trixie to be extra safe, or if you don't want to have it included in the stable release, then to be removed immediately before or during the freeze? (As in, if you include it for say 5.6.1+really5.4.5-2 and remove it in 5.6.1+really5.4.5-3, if someone does not upgrade until -3 or later then they will still miss it.) > I can't tell what happend exactly but the 5.6 release is > gone from my _current_ initramfs so something triggered it already. Only > the older "previous" kernel has it. If you have since installed any other package that might also trigger its regeneration such as grub, a linux kernel, udev, etc, then that would be expected. But if users have not, they might still have the backdoor. I think the price for an excess initramfs regeneration is worth the hassle of the time it takes to perform that action (better safe than sorry etc). Thanks, Guillem