On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote: > On Sat, 2011-02-19 at 14:04 -0500, Michael Gilbert wrote: > > On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote: > > > > > On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote: > [...] > > > > 2. Improve testing security by reducing the amount of vulnerabilities > > > > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as > > > > described previously) > > > > > > Huh? I don't see any source for this figure. > > > > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html > > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html > > I read those and I can't see any source for comparison between 2.6.32 > and 2.6.37. In fact you say that 'squeeze (2.6.32) was vulnerable to > 98% (51 out of 52)' which implies only 2% fewer vulnerabilities.
I suppose the way I said that is confusing. That research was from past results, and my latest statement is a projection based on the past. In other words, if lenny was vulnerable to 67% of the issues that squeeze was, I'm projecting that it will be similar for squeeze: it will be vulnerable to about 67% of the issues that wheezy will; although that could be +-10%, +-20%, who knows since events have yet to happen. > > I've been using ati cards exclusively for some time now; although I've > > also been willing to install the fglrx driver for full support ;) > > Then I really can't take your concern for security seriously. The > changelog for fglrx-source has no mention of security fixes, and I don't > for one moment believe there are no vulnerabilities in it. Well, that's a risk I'm willing to accept for myself. Others may have a differing perspective, and that's fine. My risk mitigation strategy should have nothing to do with the rest of the project's. > > Also, the xorg vesa driver does work. > > Seems like a waste of money to buy an ATI card and then use it as a dumb > framebuffer. Not all ati cards are top of the line, and not all users need 3D anyway. > > Again, if the user is interested in such new developments, they will > > need to be willing to learn how to run an unstable system. > > I thought that users interested in new stuff were supposed to run CUT. Most packages will in fact be new, just the kernel and reverse dependencies will be held back. Hence CUT users will get 99% new stuff (with respect to stable), and a tiny bit held back simply for stability. Like I've said a couple times now, its a balancing act. All I'm asking for is a few month long experiment. And if the experiment shows signs of flaws/weaknesses, then the blocker can certainly be lifted. Best wishes, Mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
