Re: Any objections to removing address@hidden

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Any objections to removing address@hidden

From:	Mark H Weaver
Subject:	Re: Any objections to removing address@hidden
Date:	Sun, 04 Jun 2017 15:54:45 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote:
>> Does anyone here still need address@hidden in Guix?  If not, I'd like
>> to remove it.
>> 
>> Upstream security updates for it seem to be quite infrequent (2.5 months
>> between the last two releases), and the recent update to 4.1.40
>> neglected to include a fix for CVE-2017-6074, which does not inspire
>> confidence.
>> 
>> What do you think?
>
> I don't have a strong objection. If somebody needs this particular Linux 
> release
> series later, it will not be difficult for them to recreate.
>
> On the other hand, the 4.1 series has been selected for the Linux Foundation's
> Long Term Support Initiative. This program will support Linux releases for
> longer than usual, so 4.1 will be in use for longer than most of the Linux LTS
> releases.
>
> Besides, kernel bugs are not rare. More will be found and disclosed, and some
> will be found and kept private :/

Sure, but the 4.9 and 4.4 series kernels receive security updates quite
promptly, whereas the upstream 4.1 kernel has been vulnerable to
CVE-2017-6074 for several months without an update, and when the update
finally came, it neglected to include a fix for it.

> I recommend waiting a few days for more comments. IIRC, we kept this 
> particular
> series to work around some bugs related to GuixSD and Libreboot. So, there 
> were
> some people using it. I'd hate to "strand" existing users who might not notice
> that they are not receiving updates to the 'linux-4.1' package they've 
> specified
> in their GuixSD configuration.

Yes, of course, that's why I asked.  If some Libreboot users still need
4.1, then we'll keep it.  However, I have a vague recollection of
hearing that the problem with Libreboot has since been resolved.

> If Hydra resources are a concern, perhaps we could keep the package but not
> build it.

No, my only concern is that I've lost confidence in the security of the
4.1 kernels.

     Regards,
       Mark

[Prev in Thread]

Current Thread

[Next in Thread]

Any objections to removing address@hidden, Mark H Weaver, 2017/06/04
- Re: Any objections to removing address@hidden, Leo Famulari, 2017/06/04
  - Re: Any objections to removing address@hidden, Mark H Weaver <=
  - Re: Any objections to removing address@hidden, Mark H Weaver, 2017/06/04
    - Re: Any objections to removing address@hidden, Leo Famulari, 2017/06/05
    - Re: Any objections to removing address@hidden, Mark H Weaver, 2017/06/05
- Re: Any objections to removing address@hidden, Ludovic Courtès, 2017/06/04
- Re: Any objections to removing address@hidden, Ricardo Wurmus, 2017/06/08
  - Re: Any objections to removing address@hidden, Mark H Weaver, 2017/06/09

Prev by Date: `ruby-ansi` failure on 'staging'
Next by Date: Re: Combining Guix, direnv and Emacs for environment customisation
Previous by thread: Re: Any objections to removing address@hidden
Next by thread: Re: Any objections to removing address@hidden
Index(es):
- Date
- Thread