[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Any objections to removing address@hidden

From: Mark H Weaver
Subject: Re: Any objections to removing address@hidden
Date: Sun, 04 Jun 2017 15:54:45 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote:
>> Does anyone here still need address@hidden in Guix?  If not, I'd like
>> to remove it.
>> Upstream security updates for it seem to be quite infrequent (2.5 months
>> between the last two releases), and the recent update to 4.1.40
>> neglected to include a fix for CVE-2017-6074, which does not inspire
>> confidence.
>> What do you think?
> I don't have a strong objection. If somebody needs this particular Linux 
> release
> series later, it will not be difficult for them to recreate.
> On the other hand, the 4.1 series has been selected for the Linux Foundation's
> Long Term Support Initiative. This program will support Linux releases for
> longer than usual, so 4.1 will be in use for longer than most of the Linux LTS
> releases.
> Besides, kernel bugs are not rare. More will be found and disclosed, and some
> will be found and kept private :/

Sure, but the 4.9 and 4.4 series kernels receive security updates quite
promptly, whereas the upstream 4.1 kernel has been vulnerable to
CVE-2017-6074 for several months without an update, and when the update
finally came, it neglected to include a fix for it.

> I recommend waiting a few days for more comments. IIRC, we kept this 
> particular
> series to work around some bugs related to GuixSD and Libreboot. So, there 
> were
> some people using it. I'd hate to "strand" existing users who might not notice
> that they are not receiving updates to the 'linux-4.1' package they've 
> specified
> in their GuixSD configuration.

Yes, of course, that's why I asked.  If some Libreboot users still need
4.1, then we'll keep it.  However, I have a vague recollection of
hearing that the problem with Libreboot has since been resolved.

> If Hydra resources are a concern, perhaps we could keep the package but not
> build it.

No, my only concern is that I've lost confidence in the security of the
4.1 kernels.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]