Date: Wed, 6 Aug 2003 21:11:01 +0200
From: Diego Calleja =?ISO-8859-15?Q?Garc=EDa?= <diegocg@teleline.es>
To: Juergen Schmidt <ju@heisec.de>
Cc: linux-kernel@vger.kernel.org
Subject: Re: security advisories for the kernel
Message-Id: <20030806211101.72031376.diegocg@teleline.es>
In-Reply-To: <Pine.LNX.4.44.0308060934480.3262-100000@loki.ct.heise.de>
References: <Pine.LNX.4.44.0308060934480.3262-100000@loki.ct.heise.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1380
Lines: 29

El Wed, 6 Aug 2003 18:31:31 +0200 (CEST) Juergen Schmidt <ju@heisec.de> escribi?:

> I know, that some of you think, it's the task of the distributors, to
> issue security advisories. I disagree: You publish code on kernel.org that
> people use. That code contains security related bugs. You fix them and
> publish corrected code. People expect from you, to issue an advisory
> about the security bugs you have fixed - and imho they are right...

I agree that people must have something to upgrade to. They're said
"update the kernel from your vendor" or "run 2.4.XX-pre which contains
the security fixes"; but a lot of people don't use vendor kernels and
they don't even know that -pre contains fixes. (where is the
announcement if there's one?)

Can't we have a 2.4.22 which has 2.4.21 + only
the security fixes? Or a 2.4-current which contains current kernel +
security fixes + very important fixes.

I can understand that you can't upgrade the kernel each time there's
a security issue, but this time there're a lof of them, and people
*don't* really know what they've to upgrade. They're just waiting
for a release.

Diego Calleja
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/