|
Home > Archive > Debian Developers > March 2004 > can i upload this to security.d.o?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
can i upload this to security.d.o?
|
|
| martin f krafft 2004-03-14, 6:33 am |
| According to bug#231858, currently it's not possible to use
grsecurity on Woody. The latest kernel on woody is 2.4.18, and
apparently some security patches have propagated back into that
kernel that break grsecurity.
Thus, my question: I'd be willing to fix grsecurity wrt woody and
2.4.18. Could I upload the fixed version to security.d.o? Or should
I just declare grsecurity to be unusable on woody and tell people to
get newer, non-woody kernels?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
| |
| Martin Schulze 2004-03-14, 10:34 am |
| martin f krafft wrote:
> According to bug#231858, currently it's not possible to use
> grsecurity on Woody. The latest kernel on woody is 2.4.18, and
> apparently some security patches have propagated back into that
> kernel that break grsecurity.
>
> Thus, my question: I'd be willing to fix grsecurity wrt woody and
> 2.4.18. Could I upload the fixed version to security.d.o? Or should
> I just declare grsecurity to be unusable on woody and tell people to
> get newer, non-woody kernels?
No, you can't. a) because you can't access the queue and b) because
you havent read the security FAQ or developers reference.
Apart from that I'm interested to learn what broke and how it would
be fixed.
Regards,
Joey
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| martin f krafft 2004-03-14, 10:34 am |
| also sprach Martin Schulze <joey@infodrom.org> [2004.03.14.1535 +0100]:
> No, you can't. a) because you can't access the queue and b) because
> you havent read the security FAQ or developers reference.
I know of both of these, and I have read the related docs. However,
there is no mention of what to do in case that a security update
breaks a different package, which seems to be the case here
(although I have not researched this in full depth).
Now, obviously I don't have access to security.debian.org; I would
have assumed that you'd have read my question whether I can upload
to s.d.o as whether I should bother (and make you guys bother) with
an update, or whether I can just as well forget the update.
> Apart from that I'm interested to learn what broke and how it
> would be fixed.
It's probably a backport of some of the million of patches in
Herbert's packages.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
| |
| Matt Zimmerman 2004-03-14, 5:34 pm |
| On Sun, Mar 14, 2004 at 11:54:02AM +0100, martin f krafft wrote:
> According to bug#231858, currently it's not possible to use
> grsecurity on Woody. The latest kernel on woody is 2.4.18, and
> apparently some security patches have propagated back into that
> kernel that break grsecurity.
>
> Thus, my question: I'd be willing to fix grsecurity wrt woody and
> 2.4.18. Could I upload the fixed version to security.d.o? Or should
> I just declare grsecurity to be unusable on woody and tell people to
> get newer, non-woody kernels?
This is a common source of confusion which often comes up with the
'security' tag in debbugs, but I'm not sure where in the documentation it
should be clarified. Clearly the developer's reference is not the right
place, because there is an entire section on security updates already which
it doesn't seem that you've read (it answers your question about uploading).
Put simply, having a bug in a security-related package is not the same as
having a security-related bug (vulnerability). security.debian.org and DSAs
are used to address the latter, not the former.
If you want to address a severe bug in woody, the correct approach is to
upload to proposed-updates.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| martin f krafft 2004-03-15, 1:34 am |
| also sprach Matt Zimmerman <mdz@debian.org> [2004.03.14.2239 +0100]:
> Put simply, having a bug in a security-related package is not the same as
> having a security-related bug (vulnerability). security.debian.org and DSAs
> are used to address the latter, not the former.
I am fully aware of that. However, what happens when
a security-related bugfix causes another packages to become
unusable?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
| |
| Matt Zimmerman 2004-03-15, 3:33 am |
| On Mon, Mar 15, 2004 at 06:45:20AM +0100, martin f krafft wrote:
> also sprach Matt Zimmerman <mdz@debian.org> [2004.03.14.2239 +0100]:
>
> I am fully aware of that. However, what happens when a security-related
> bugfix causes another packages to become unusable?
Usually it doesn't; the kernel is a special case because it has so many
source-oriented dependency relationships. Still, proposed-updates seems
like the correct route.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| martin f krafft 2004-03-15, 3:34 pm |
| also sprach Matt Zimmerman <mdz@debian.org> [2004.03.15.0916 +0100]:
> Usually it doesn't; the kernel is a special case because it has so
> many source-oriented dependency relationships. Still,
> proposed-updates seems like the correct route.
But it won't make it to stable that way, right? Seeing as there is
a new release in testing, I don't see the point...
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
| |
| Matt Zimmerman 2004-03-15, 3:34 pm |
| On Mon, Mar 15, 2004 at 08:36:28PM +0100, martin f krafft wrote:
> also sprach Matt Zimmerman <mdz@debian.org> [2004.03.15.0916 +0100]:
>
> But it won't make it to stable that way, right? Seeing as there is
> a new release in testing, I don't see the point...
Why would you say that? That's exactly what proposed-updates is for.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| martin f krafft 2004-03-15, 3:34 pm |
| also sprach Matt Zimmerman <mdz@debian.org> [2004.03.15.2038 +0100]:
> Why would you say that? That's exactly what proposed-updates is for.
Ah, I was confused. Sorry.
Okay, I will upload the package to proposed-updates.
Thanks for your time and patience.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
| |
| Herbert Xu 2004-03-17, 9:42 am |
| martin f krafft <madduck@debian.org> wrote:
>
>
> It's probably a backport of some of the million of patches in
> Herbert's packages.
You've got to be kidding. The only that has changed in woody
is the addition of the mmap/mremap security patches.
The fact that it breaks your package just shows how intrusive
your patch really is.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| martin f krafft 2004-03-18, 9:41 am |
| also sprach Herbert Xu <herbert@gondor.apana.org.au> [2004.03.17.0954 +0100]:
> You've got to be kidding. The only that has changed in woody
> is the addition of the mmap/mremap security patches.
>
> The fact that it breaks your package just shows how intrusive
> your patch really is.
I don't know what actually causes my patch not to apply. However,
when I fixed it manually, it was really easy, mostly related to
extra comments or slightly changed lines (patch *is* stupid after
all).
So whatever, the patch may be intrusive, but fact is that what's
contained in Woody these days is unusable.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
|
|
|
|
|