lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 16 Oct 2008 20:47:17 -0700
From:	Greg KH <greg@...ah.com>
To:	Adrian Bunk <bunk@...nel.org>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC] Kernel version numbering scheme change

On Thu, Oct 16, 2008 at 07:46:02PM +0300, Adrian Bunk wrote:
> On Thu, Oct 16, 2008 at 08:17:48AM -0700, Greg KH wrote:
> > On Thu, Oct 16, 2008 at 03:49:43PM +0300, Adrian Bunk wrote:
> >...
> > > If a distribution will try to autobuild an urgent OpenSSL security 
> > > update for their stable release in a chroot on a machine running
> > > kernel 2009.2.3 they will surely love you for being responsible
> > > for this...
> > 
> > Distros properly patch things and backport "urgent OpenSSL security
> > updates" to older versions of packages, so they would not run into this
> > problem.
> 
> You didn't get my point.
> 
> Let me make an example:
> 
> The current Debian release will be supported until one year after the
> next release gets released.
> 
> Someone from the Debian security team send a fixed package to the
> buildds.
> 
> The buildds build packages in chroots.
> 
> A buildd may run any Debian release.
> 
> And it's perfectly normal that a buildd runs a more recent release of 
> Debian than the one a package gets built for in a chroot.

So you are saying the Debian build system would build a package for an
older release, on a system that is newer, and that build would be
determining things based on the system it is built on, not what it is
being built for?

If so, then something is very broken already in the Debian build system
and I think you have much bigger problems to worry about right now.

For all other "sane" build systems that I know of, you build against the
libraries/kernel/gcc/glibc/etc that you are wanting to support it for,
not against some random-whatever-happened-to-be-installed-on-the-box.

> No matter what you claim, you suggest to break currently working setups.

No, you have described a broken setup.

Now for new releases, yes, something might have to be changed, but that
is when a sane distro would move to the newly named kernel, not
affecting any old releases at all.

Hope this helps,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ