Your message dated Tue, 17 Jan 2017 19:54:49 +0000 with message-id <1484682889.2998.61.ca...@decadent.org.uk> and subject line Re: Bug#851702: linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels has caused the Debian Bug report #851702, regarding linux-image-amd64: Important (and unacceptable) delay for providing updates for users of signed linux kernels to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 851702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: linux-image-amd64 Version: 4.8+77~bpo8+1 Severity: critical Tags: security Justification: root security hole Hi, As of now two flavours of Linux kernels are released. The default ones are signed ones while other unsigned kernels are available. The problem is that there's a significant delay between the release of the two flavours, often more than one week, which exposes users of signed kernels to critical vulnerabilities addressed in the newer kernel releases. The only possible workaround is to switch on -unsigned linux kernels, but this is messy and clearly unwanted. I've raised an issue on BPO mailing list here : https://lists.debian.org /debian-backports/2017/01/msg00033.html (the issue also applies to testing and unstable). The answer is basically that : 1/ - unsigned kernels are only available for testing purposes 2/ - it is not possible to build simultaneously signed and unsigned kernels. I'm okay with the latter as long as there's only a couple of hours between the two kernel releases. Now if we must wait more than one week to get the signed image it clearly reveals there's an issue in the signed image build process which must be addressed before Stretch release. Otherwise a possibility would be to use by default -unsigned image and create an optional linux-image-amd64-signed metapackage like the one which exists for grsec. -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-image-amd64 depends on: ii linux-image-4.8.0-0.bpo.2-amd64-unsigned [linux-image-4.8. 4.8.15-2~bpo8+1 linux-image-amd64 recommends no packages. linux-image-amd64 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---On Tue, 2017-01-17 at 20:17 +0100, Julien Aubin wrote: > Package: linux-image-amd64 > Version: 4.8+77~bpo8+1 > Severity: critical > Tags: security > Justification: root security hole Let's not play BTS wars. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camussignature.asc
Description: This is a digitally signed message part
--- End Message ---