-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Aug 25, 2017 at 08:42:10AM -0600, Reg Tiangha wrote: > On 2017-08-25 8:27 AM, Epitre wrote: > > I added the files for the latest version 4.12.8 including the XSA 229 > > patch from R. Tiangha repo. Here are the links: > > > > kernel: > > https://sourceforge.net/projects/qubes-linux-kernel/files/kernel-4.12.8-20.pvops.qubes.x86_64.rpm/download > > kernel-qubes-vm: > > https://sourceforge.net/projects/qubes-linux-kernel/files/kernel-qubes-vm-4.12.8-20.pvops.qubes.x86_64.rpm/download > > kernel-devel: > > https://sourceforge.net/projects/qubes-linux-kernel/files/kernel-devel-4.12.8-20.pvops.qubes.x86_64.rpm/download > > > > FYI, I haven't tested it yet on 4.12 myself, but there was a round of > kernel updates yesterday that included the XSA 229 patch into 4.4.84 and > 4.9.45; I'd assume it's the same with 4.12.9 but it'd be worthwhile > checking (you'll know if it's included if a prompt comes during the > patching phase of the build). If so, then you'll need to remove it again.
I think it's a good idea to talk here about including more recent kernels in mainline Qubes OS. Generally we have a policy for including only "longterm" kernels. Mostly because our release cycle is much longer than the kernel one, and in some cases new kernel "major" version may break some things. And also require more time for reviewing config changes. The simplest thing to do would be to put new kernel packages into the same repository and let user choose what to use. But there is a problem with this: yum/dnf make it hard to handle multiple versions of the same package. The default setting is to keep 3 latest kernel packages. This make it impossible to stay with, say 4.9, while there are already 3 or more new packages from 4.12 line. I see a few options for this problem: 1. Use "unstable" repository for non-longterm kernels. We've done this before, for 4.8 kernels. The problem with this approach is that unstable repository contains unstable packages. This is a place where we put some very experimental packages. Admittedly, recently this repository rarely receive any packages. Or create new repository specifically for non-longterm kernels. 2. Have non-longterm kernels packaged with different package name than "kernel" (and "kernel-qubes-vm"). For example "kernel-4.12" as a package name - so a full package name with version would be "kernel-4.12-4.12.9-1". Basically a Debian approach. 3. Terminate the policy of using only longterm support kernels. This require some more work on reviewing config changes and more testing (probably longer time in current-testing when uploading new major version). For this to happen, we'd prefer to have someone tracking kernel changes - IIUC Reg Tiangha already do this anyway. What do you think? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZoHd5AAoJENuP0xzK19csd6cH/isHp8F8BOpmcKj3djkxYtQv luVGYaCGhfNHsbhPpnki7fAUdCIvz1ao+Rxs14Fhsrx1zHoQNTqhWWs7s5D9BoUX 7WkMB9JXa8xNyb+HmhVpetMSnG6fxj2bfuvXhZSfvWyPUYXUbU2Dd4UHjVIPorjc QyRqJ+sG6IxMr5LEq02SNkbSd6+6TLq1V6j3UY+HRv4abZG62ZXI4wIXy2AfTAH+ 1mw88wJaHzk9yVunlAhZA5w6JV/q7seu4ddhNGcTZ9FLGeCIqK3uedaC5ou45YEm v7hfawEQeKa8e0qpyQzdtF4hIHL1LKKcWhzsgWHbnc3gB+1c5r9YOoW7UXDanTw= =KGQL -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170825191607.GC6570%40mail-itl. For more options, visit https://groups.google.com/d/optout.
