Your message dated Tue, 17 Jan 2017 19:54:49 +0000
with message-id <1484682889.2998.61.ca...@decadent.org.uk>
and subject line Re: Bug#851702: linux-image-amd64: Important (and
unacceptable) delay for providing updates for users of signed linux kernels
has caused the Debian Bug report #851702,
regarding linux-image-amd64: Important (and unacceptable) delay for providing
updates for users of signed linux kernels
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
851702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851702
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: linux-image-amd64
Version: 4.8+77~bpo8+1
Severity: critical
Tags: security
Justification: root security hole
Hi,
As of now two flavours of Linux kernels are released. The default ones are
signed ones while other unsigned kernels are available.
The problem is that there's a significant delay between the release of the
two
flavours, often more than one week, which exposes users of signed kernels to
critical vulnerabilities addressed in the newer kernel releases. The only
possible workaround is to switch on
-unsigned linux kernels, but this is messy and clearly unwanted.
I've raised an issue on BPO mailing list here : https://lists.debian.org
/debian-backports/2017/01/msg00033.html (the issue also applies to testing
and
unstable).
The answer is basically that :
1/ - unsigned kernels are only available for testing purposes
2/ - it is not possible to build simultaneously signed and unsigned kernels.
I'm okay with the latter as long as there's only a couple of hours between
the
two kernel releases. Now if we must wait more than one week to get the
signed
image it clearly reveals there's an issue in the signed image build process
which must be addressed before Stretch release.
Otherwise a possibility would be to use by default -unsigned image and
create
an optional linux-image-amd64-signed metapackage like the one which exists
for
grsec.
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages linux-image-amd64 depends on:
ii linux-image-4.8.0-0.bpo.2-amd64-unsigned [linux-image-4.8.
4.8.15-2~bpo8+1
linux-image-amd64 recommends no packages.
linux-image-amd64 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Tue, 2017-01-17 at 20:17 +0100, Julien Aubin wrote:
> Package: linux-image-amd64
> Version: 4.8+77~bpo8+1
> Severity: critical
> Tags: security
> Justification: root security hole
Let's not play BTS wars.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert
Camus
signature.asc
Description: This is a digitally signed message part
--- End Message ---
