Re: Will there be security updates for 2.6.17 kernels?

Re: Will there be security updates for 2.6.17 kernels?

[Mario Vanoni]

Not in lkml, so cc if needed.

Running 3 machines Slackware 11.0,
all kernel 2.6.18.5, no problems.
Waiting 2.6.19.3 to update ...

Regards
Mario Vanoni

Will there be security updates for 2.6.17 kernels?

[Manuel Reimer]

Hello,

my problem is, that the slackware maintainers decided to use kernel 
2.6.17. Here is their comment, they posted to the changelog:

After much thought and consultation with developers, it has been decided 
to move 2.6.17.x out of /testing and into /extra.  It runs stable by all 
reports, has better wireless support, and is not going to be stale as 
soon.  In addition, HIGHMEM4G has been enabled.  This caused no problems 
with my old 486 with 24MB (the one I use for compiling KDE ;-), and 
Tomas Matejicek has enabled this in SLAX for a long time with no reports 
of problems, so I believe it is a safe option (and is needed by many 
modern machines). Thanks again to Andrea for building these kernels and 
packages.  :-)

They had a 2.6.16 kernel in /extra before and as far as I know the
2.6.16 kernel series still gets security updates.

Is this also the case for 2.6.17 kernels? will there be an update if
there is an security hole in the latest 2.6.17 kernel?

The problem is, that the slackware team doesn't patch anything on their
own. They always wait for the update done by the author, if the bug
isn't very critical. This means they will stay forever with their
current version of the 2.6.17 kernel, if there will be no updates in
future.

If there will be no updates for 2.6.17 in future: Are there already
security holes in 2.6.17? Could someone please give two examples? I need
informations, to be able to contact the slackware team, to request a
"downgrade" to 2.6.16.

Thank you very much in advance

Yours

Manuel Reimer

Re: Will there be security updates for 2.6.17 kernels?

[Jesper Juhl]

On 14/12/06, Manuel Reimer <Manuel.Spam@nurfuerspam.de> wrote:
> Hello,
>
> my problem is, that the slackware maintainers decided to use kernel
> 2.6.17. Here is their comment, they posted to the changelog:
>
<snip>
>
> They had a 2.6.16 kernel in /extra before and as far as I know the
> 2.6.16 kernel series still gets security updates.
>
> Is this also the case for 2.6.17 kernels?

No, that is not planned. 2.6.16.x is an exception.    -stable kernels
(those with 2.6.x.y versions) are only released for the latest stable
2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
out there will not be any more 2.6.19.x, only 2.6.20.x   - I hope
that's clear...

>will there be an update if
> there is an security hole in the latest 2.6.17 kernel?
>
No. If the problem was also in the latest stable kernel (currently
2.6.19.1) then a fix would go into 2.6.19.2 and users can then upgrade
to that kernel. If 2.6.19.1 is not vulnerable, then everything is fine
as users of old 2.6.17 kernels can just upgrade to 2.6.19.1


> The problem is, that the slackware team doesn't patch anything on their
> own. They always wait for the update done by the author, if the bug
> isn't very critical. This means they will stay forever with their
> current version of the 2.6.17 kernel, if there will be no updates in
> future.
>
Not true. Slackware updates the kernel to fix security issues - this
has been the case in the past and i don't see why it would change in
the future.

> If there will be no updates for 2.6.17 in future: Are there already
> security holes in 2.6.17?

probably.

>Could someone please give two examples? I need
> informations, to be able to contact the slackware team, to request a
> "downgrade" to 2.6.16.
>
Ehh, you wouldn't want to do that. You'd want to encourage an upgrade
to 2.6.19.1 instead.


-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: Will there be security updates for 2.6.17 kernels?

[Manuel Reimer]

Jesper Juhl schrieb:
> No, that is not planned. 2.6.16.x is an exception.    -stable kernels
> (those with 2.6.x.y versions) are only released for the latest stable
> 2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
> out there will not be any more 2.6.19.x, only 2.6.20.x   - I hope
> that's clear...

Yes, I think that's clear, but are those "stable" kernels really 
"stable". Stable would be a kernel which only gets security updates and 
maybe some new drivers, but not mayor changes in concept, which may 
require to modify config scripts, init scripts or whatever in system.

I think the 2.6.16.x would be something like this. It should do the job 
until the next 2.6.x is nominated to get future security updates.

> Not true. Slackware updates the kernel to fix security issues - this
> has been the case in the past and i don't see why it would change in
> the future.

Yes, that's true. They updated the 2.4.x kernel at least once, but they 
updated the kernel with an official kernel.org kernel. What I tried to 
say is, that they don't create their own kernel patches to fix critical 
security bugs in the kernels, they ship (at least as far as I know).

I just assume that they planned to stay with 2.6.17 for Slackware 11, as 
this kernel works for all the other packages, scripts, ...

>> Could someone please give two examples? I need
>> informations, to be able to contact the slackware team, to request a
>> "downgrade" to 2.6.16.
>>
> Ehh, you wouldn't want to do that. You'd want to encourage an upgrade
> to 2.6.19.1 instead.

I don't think they want to go that way. This would just mean that they 
have to create too much updates. Maybe even one of those "stable" 
kernels has a major bug (there was an XFS bug in the past. One of my 
friends, who regularly compiled new kernels, lost files that way).

If 2.6.16 is the "real stable" branch, then I'd vote for using this one.

But it's not my decision. Anything I needed to know is that there will 
be definetly no more security updates for 2.6.17.

Yours

Manuel Reimer

Re: Will there be security updates for 2.6.17 kernels?

[Bill Davidsen]

Jesper Juhl wrote:
> On 14/12/06, Manuel Reimer <Manuel.Spam@nurfuerspam.de> wrote:
>> Hello,
>>
>> my problem is, that the slackware maintainers decided to use kernel
>> 2.6.17. Here is their comment, they posted to the changelog:
>>
> <snip>
>>
>> They had a 2.6.16 kernel in /extra before and as far as I know the
>> 2.6.16 kernel series still gets security updates.
>>
>> Is this also the case for 2.6.17 kernels?
> 
> No, that is not planned. 2.6.16.x is an exception.    -stable kernels
> (those with 2.6.x.y versions) are only released for the latest stable
> 2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
> out there will not be any more 2.6.19.x, only 2.6.20.x   - I hope
> that's clear...
> 
A happy exception I would say, given that there have been several 
changes since then which might impact existing application software. 
There are reasons to stay with 2.6.16 until applications have been 
updated to handle the new unchanged behavior. See "VCD not readable" for 
details.

-- 
bill davidsen <davidsen@tmr.com>
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979