2006-12-14 14:57:56

by Manuel Reimer

[permalink] [raw]
Subject: Will there be security updates for 2.6.17 kernels?

Hello,

my problem is, that the slackware maintainers decided to use kernel
2.6.17. Here is their comment, they posted to the changelog:

After much thought and consultation with developers, it has been decided
to move 2.6.17.x out of /testing and into /extra. It runs stable by all
reports, has better wireless support, and is not going to be stale as
soon. In addition, HIGHMEM4G has been enabled. This caused no problems
with my old 486 with 24MB (the one I use for compiling KDE ;-), and
Tomas Matejicek has enabled this in SLAX for a long time with no reports
of problems, so I believe it is a safe option (and is needed by many
modern machines). Thanks again to Andrea for building these kernels and
packages. :-)

They had a 2.6.16 kernel in /extra before and as far as I know the
2.6.16 kernel series still gets security updates.

Is this also the case for 2.6.17 kernels? will there be an update if
there is an security hole in the latest 2.6.17 kernel?

The problem is, that the slackware team doesn't patch anything on their
own. They always wait for the update done by the author, if the bug
isn't very critical. This means they will stay forever with their
current version of the 2.6.17 kernel, if there will be no updates in
future.

If there will be no updates for 2.6.17 in future: Are there already
security holes in 2.6.17? Could someone please give two examples? I need
informations, to be able to contact the slackware team, to request a
"downgrade" to 2.6.16.

Thank you very much in advance

Yours

Manuel Reimer


2006-12-14 15:10:59

by Jesper Juhl

[permalink] [raw]
Subject: Re: Will there be security updates for 2.6.17 kernels?

On 14/12/06, Manuel Reimer <[email protected]> wrote:
> Hello,
>
> my problem is, that the slackware maintainers decided to use kernel
> 2.6.17. Here is their comment, they posted to the changelog:
>
<snip>
>
> They had a 2.6.16 kernel in /extra before and as far as I know the
> 2.6.16 kernel series still gets security updates.
>
> Is this also the case for 2.6.17 kernels?

No, that is not planned. 2.6.16.x is an exception. -stable kernels
(those with 2.6.x.y versions) are only released for the latest stable
2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
out there will not be any more 2.6.19.x, only 2.6.20.x - I hope
that's clear...

>will there be an update if
> there is an security hole in the latest 2.6.17 kernel?
>
No. If the problem was also in the latest stable kernel (currently
2.6.19.1) then a fix would go into 2.6.19.2 and users can then upgrade
to that kernel. If 2.6.19.1 is not vulnerable, then everything is fine
as users of old 2.6.17 kernels can just upgrade to 2.6.19.1


> The problem is, that the slackware team doesn't patch anything on their
> own. They always wait for the update done by the author, if the bug
> isn't very critical. This means they will stay forever with their
> current version of the 2.6.17 kernel, if there will be no updates in
> future.
>
Not true. Slackware updates the kernel to fix security issues - this
has been the case in the past and i don't see why it would change in
the future.

> If there will be no updates for 2.6.17 in future: Are there already
> security holes in 2.6.17?

probably.

>Could someone please give two examples? I need
> informations, to be able to contact the slackware team, to request a
> "downgrade" to 2.6.16.
>
Ehh, you wouldn't want to do that. You'd want to encourage an upgrade
to 2.6.19.1 instead.


--
Jesper Juhl <[email protected]>
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please http://www.expita.com/nomime.html

2006-12-14 19:32:09

by Manuel Reimer

[permalink] [raw]
Subject: Re: Will there be security updates for 2.6.17 kernels?

Jesper Juhl schrieb:
> No, that is not planned. 2.6.16.x is an exception. -stable kernels
> (those with 2.6.x.y versions) are only released for the latest stable
> 2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
> out there will not be any more 2.6.19.x, only 2.6.20.x - I hope
> that's clear...

Yes, I think that's clear, but are those "stable" kernels really
"stable". Stable would be a kernel which only gets security updates and
maybe some new drivers, but not mayor changes in concept, which may
require to modify config scripts, init scripts or whatever in system.

I think the 2.6.16.x would be something like this. It should do the job
until the next 2.6.x is nominated to get future security updates.

> Not true. Slackware updates the kernel to fix security issues - this
> has been the case in the past and i don't see why it would change in
> the future.

Yes, that's true. They updated the 2.4.x kernel at least once, but they
updated the kernel with an official kernel.org kernel. What I tried to
say is, that they don't create their own kernel patches to fix critical
security bugs in the kernels, they ship (at least as far as I know).

I just assume that they planned to stay with 2.6.17 for Slackware 11, as
this kernel works for all the other packages, scripts, ...

>> Could someone please give two examples? I need
>> informations, to be able to contact the slackware team, to request a
>> "downgrade" to 2.6.16.
>>
> Ehh, you wouldn't want to do that. You'd want to encourage an upgrade
> to 2.6.19.1 instead.

I don't think they want to go that way. This would just mean that they
have to create too much updates. Maybe even one of those "stable"
kernels has a major bug (there was an XFS bug in the past. One of my
friends, who regularly compiled new kernels, lost files that way).

If 2.6.16 is the "real stable" branch, then I'd vote for using this one.

But it's not my decision. Anything I needed to know is that there will
be definetly no more security updates for 2.6.17.

Yours

Manuel Reimer

2006-12-14 20:33:10

by Mario Vanoni

[permalink] [raw]
Subject: Re: Will there be security updates for 2.6.17 kernels?

Not in lkml, so cc if needed.

Running 3 machines Slackware 11.0,
all kernel 2.6.18.5, no problems.
Waiting 2.6.19.3 to update ...

Regards
Mario Vanoni

2006-12-15 17:22:30

by Bill Davidsen

[permalink] [raw]
Subject: Re: Will there be security updates for 2.6.17 kernels?

Jesper Juhl wrote:
> On 14/12/06, Manuel Reimer <[email protected]> wrote:
>> Hello,
>>
>> my problem is, that the slackware maintainers decided to use kernel
>> 2.6.17. Here is their comment, they posted to the changelog:
>>
> <snip>
>>
>> They had a 2.6.16 kernel in /extra before and as far as I know the
>> 2.6.16 kernel series still gets security updates.
>>
>> Is this also the case for 2.6.17 kernels?
>
> No, that is not planned. 2.6.16.x is an exception. -stable kernels
> (those with 2.6.x.y versions) are only released for the latest stable
> 2.6.x kernel. So currently that's 2.6.19 and as soon as 2.6.20 comes
> out there will not be any more 2.6.19.x, only 2.6.20.x - I hope
> that's clear...
>
A happy exception I would say, given that there have been several
changes since then which might impact existing application software.
There are reasons to stay with 2.6.16 until applications have been
updated to handle the new unchanged behavior. See "VCD not readable" for
details.

--
bill davidsen <[email protected]>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979