Hi!
On Fri, Jul 11, 2014 at 07:55:02AM -0400, Anthony G. Basile wrote:
> > Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj?
>
> Anyone = me. You can address these concerns to me personally as I am
> responsible. Bugs are best so we have a public record.
>
> I am aware of the issue. There have been too many rapid stabilizations
> because of CVE-2014-3153 and other issues. It doesn't help if I
> stabilize a kernel which panics on someone's hardware that I can't test
> on --- security issue or not. Been there done that. There is a balance
> of risk which your statement does not take into account.
I'm sorry if my question sounds offensive to you, this wasn't intentional.
I understand the risks, but:
- Gentoo is usually slower than other distributions on this, which is sad
- Hardened kernels are special ones - if people use hardened it means they
bothers about security more than average linux user, so they more likely
to accept the risks you mentioned
- If you (I mean Gentoo devs in general, not personally you) didn't
release or stabilize such a critical security fix because of some
reasons (not well tested on some hardware, known to have issues on some
hardware, etc.) - I think you should ASAP release GLSA or news or
whatever (announcement in this maillist, at last) to force emerge to
notify users about EXACT REASONS why this security fix isn't stabilized
yet - to let THEM decide is these reasons apply to THEIR hardware and is
they ready to take such risk and update to ~ARCH (or at least give them
idea about when it expected to be stabilized and, if any, possible
recommendations how to temporary protect against this security issue
until new kernel will be stabilized)
Last point doesn't mean you should do extra work/research etc. - just
share information you already have (reasons to not stabilize right now)
and keep people updated about changes/progress.
--
WBR, Alex.
