On Thu, 21 Mar 2013 12:43:29 +0100 "Eric F. GARIOUD" <[email protected]> wrote:
> On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote: > > > Added: 1069_linux-3.0.70.patch > > Added: 1040_linux-3.2.41.patch > > Added: 1036_linux-3.4.37.patch > > Added: 1003_linux-3.8.4.patch > > Should I understand from this that the gentoo-sources project gets no > intention to port the security fixes back to the 3.7 and 3.6 > branches ? Above commit merely reflects the upstream version bumps, you will not want to draw assumptions based on a single commit. As to address your question, it doesn't come down to intention but rather to manpower. There are way too much security bugs for ~2 kernel maintainers to handle [1] while we have to deal with normal kernel bugs [2], kernel version bumps, relevant packages and more... It doesn't just stop with the lack of manpower on the kernel team, the stabilization team can't provide the effort to stabilize all security fixes; I'm considering to join amd64 and x86, but that's not enough. Therefore, we currently only deal with the security fixes which can allow a normal user to gain root privileges in one or another way; these are the most severe and special attention is given to those. Then, the other thing to consider would indeed be intention; if we were able to do this, we would combine them into revision bumps so there isn't anything else than the lack of manpower in the way, afaik. [1]: List of kernel bugs assigned to [email protected]. https://bugs.gentoo.org/buglist.cgi?quicksearch=Kernel%20assignee%3Asecurity%40gentoo.org [2]: List of kernel bugs not assigned to [email protected]. https://bugs.gentoo.org/buglist.cgi?cmdtype=runnamed&namedcmd=Kernel&list_id=1621534 > In case of a positive answer and in case I would port the security > fixes back to the 3.6 branch myself, would you accept to package & > distribute the result as genpatches ? > There are two approaches here (I assume you are not a Gentoo Dev): 1) You could opt to become a Gentoo Developer and join the kernel team; we can mentor you, you then no longer need to await proxy-maint. 2) If possible by policy, we could ask for you to get explicit access to genpatches such that you can add these patches and then when there are a sufficient amount in a branch we can then release a new genpatches for that branch. A third approach would be sending patches, but that would introduce a lot of unnecessary communication which burdens us both with extra work. Please note that fixing these security bugs go further than just maintaining EOL branches; the LTS branches also need to be checked, it might not always guaranteed upstream ports back everything to that. With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : [email protected] GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
signature.asc
Description: PGP signature
