Package: debian-installer Version: 20170615+deb9u4 Hi,
I just noticed a race condition in d-i, which may lead to a mild security risk. When the kernel metapackage (linux-image-<arch>) is initially installed, APT doesn't install recommended packages, and security.debian.org repository is not configured yet, so the installer naturally fetches the latest kernel from the core suite. After APT configuration, and other repositories and suites are available, debian-installer runs an upgrade; but if a newer version of linux-image-<arch> is found in one of those newly available repositories (security.debian.org in this case), it's not installed because APT refuses to install the recommended packages (firware-linux-free, irqbalance) to satisfy dependencies, so the kernel metapackage is kept back. It won't be installed until the admin runs an upgrade manually, once the system is booted. This may put it at risk during a certain period of time between the first boot, and the first upgrade (and reboot). Regards, -- Raphaël Halimi
signature.asc
Description: OpenPGP digital signature