On 11/07/14 10:11 AM, Alex Efros wrote: > Hi! > > On Fri, Jul 11, 2014 at 07:55:02AM -0400, Anthony G. Basile wrote: >>> Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj? >> >> Anyone = me. You can address these concerns to me personally as I am >> responsible. Bugs are best so we have a public record. >> >> I am aware of the issue. There have been too many rapid stabilizations >> because of CVE-2014-3153 and other issues. It doesn't help if I >> stabilize a kernel which panics on someone's hardware that I can't test >> on --- security issue or not. Been there done that. There is a balance >> of risk which your statement does not take into account. > > I'm sorry if my question sounds offensive to you, this wasn't intentional. > > I understand the risks, but: > - Gentoo is usually slower than other distributions on this, which is sad
gentoo also has fewer devs and less manpower than other distributions, full stop. > - Hardened kernels are special ones - if people use hardened it means they > bothers about security more than average linux user true > so they more likely to accept the risks you mentioned false; if anything, they are *less* likely since they are likely running production systems. > - If you (I mean Gentoo devs in general, not personally you) didn't > release or stabilize such a critical security fix because of some > reasons (not well tested on some hardware, known to have issues on some > hardware, etc.) - I think you should ASAP release GLSA or news or > whatever (announcement in this maillist, at last) to force emerge to > notify users about EXACT REASONS why this security fix isn't stabilized > yet - to let THEM decide is these reasons apply to THEIR hardware and is > they ready to take such risk and update to ~ARCH (or at least give them > idea about when it expected to be stabilized and, if any, possible > recommendations how to temporary protect against this security issue > until new kernel will be stabilized) 1. we don't have enough people to release GLSAs as is, let alone continuous progress announcements. 2. if you want to spend that much time, follow upstream itself. any such "notifications" would merely serve to waste sec's time that could have been spent on actually stabilizing the package. > Last point doesn't mean you should do extra work/research etc. yes, it does. by definition, doing more is more work.
signature.asc
Description: OpenPGP digital signature
