FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 02-19-2011, 07:25 PM
Michael Gilbert
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 19 Feb 2011 14:59:27 -0500 Michael Gilbert wrote:

> On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote:
>
> > On Sat, 2011-02-19 at 14:04 -0500, Michael Gilbert wrote:
> > > On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote:
> > >
> > > > On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote:
> > [...]
> > > > > 2. Improve testing security by reducing the amount of vulnerabilities
> > > > > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as
> > > > > described previously)
> > > >
> > > > Huh? I don't see any source for this figure.
> > >
> > > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html
> > > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html
> >
> > I read those and I can't see any source for comparison between 2.6.32
> > and 2.6.37. In fact you say that 'squeeze (2.6.32) was vulnerable to
> > 98% (51 out of 52)' which implies only 2% fewer vulnerabilities.
>
> I suppose the way I said that is confusing. That research was from
> past results, and my latest statement is a projection based on the
> past. In other words, if lenny was vulnerable to 67% of the issues that
> squeeze was, I'm projecting that it will be similar for squeeze: it
> will be vulnerable to about 67% of the issues that wheezy will;
> although that could be +-10%, +-20%, who knows since events have yet
> to happen.

I still think I've written this confusingly. Let me try one more time.
Over squeeze's testing period, the stable kernel (2.6.26) was
vulnerable to roughly 67% of the issues that the testing kernels
(2.6.28-32) were vulnerable to. Hence projecting for the future,
over wheezy's testing period, the stable kernel (2.6.32) will be
vulnerable to roughly 67% (+- some uncertainty value) of the issues
that the testing kernels (2.6.37-4x) will be vulnerable to.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219152529.9356a506.michael.s.gilbert@gmail.co m">http://lists.debian.org/20110219152529.9356a506.michael.s.gilbert@gmail.co m
 
Old 02-19-2011, 07:30 PM
Ben Hutchings
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 2011-02-19 at 14:59 -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote:
[...]
> > > Again, if the user is interested in such new developments, they will
> > > need to be willing to learn how to run an unstable system.
> >
> > I thought that users interested in new stuff were supposed to run CUT.
>
> Most packages will in fact be new, just the kernel and reverse
> dependencies will be held back. Hence CUT users will get 99% new
> stuff (with respect to stable), and a tiny bit held back simply for
> stability. Like I've said a couple times now, its a balancing act.
>
> All I'm asking for is a few month long experiment. And if the
> experiment shows signs of flaws/weaknesses, then the blocker can
> certainly be lifted.

If an experiment is to have any validity, the hypothesis and the
criteria for assessing the outcome must be decided in advance. If you
can do that, perhaps you will persuade some people that this is worth
doing.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
 
Old 02-19-2011, 07:55 PM
Michael Gilbert
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 19 Feb 2011 20:30:47 +0000 Ben Hutchings wrote:

> On Sat, 2011-02-19 at 14:59 -0500, Michael Gilbert wrote:
> > On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote:
> [...]
> > > > Again, if the user is interested in such new developments, they will
> > > > need to be willing to learn how to run an unstable system.
> > >
> > > I thought that users interested in new stuff were supposed to run CUT.
> >
> > Most packages will in fact be new, just the kernel and reverse
> > dependencies will be held back. Hence CUT users will get 99% new
> > stuff (with respect to stable), and a tiny bit held back simply for
> > stability. Like I've said a couple times now, its a balancing act.
> >
> > All I'm asking for is a few month long experiment. And if the
> > experiment shows signs of flaws/weaknesses, then the blocker can
> > certainly be lifted.
>
> If an experiment is to have any validity, the hypothesis and the
> criteria for assessing the outcome must be decided in advance. If you
> can do that, perhaps you will persuade some people that this is worth
> doing.

Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities

Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
Conclusion: hypothesis verified

Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
Evidence: to be collected # vulnerabilities in squeeze and wheezy
Conclusion: to be determined

Hypothesis 2: using an older kernel version makes less work to provide CUT

Criteria: how often CUT target release date is met
Evidence: to be collected monthly release date by retaining 2.6.32 and monthly
for standard unstable->testing transitions
(note: requires a 2.6.32-only period for reference)
Conclusion: to be determined

I can't imagine anyone else being put through such a arduous process
to try an experiment for a couple months. Why does it have to be so
difficult?

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219155503.c48a981e.michael.s.gilbert@gmail.co m">http://lists.debian.org/20110219155503.c48a981e.michael.s.gilbert@gmail.co m
 
Old 02-19-2011, 08:26 PM
Yves-Alexis Perez
 
Default For discussion: security support strategy for the wheezy kernel

On sam., 2011-02-19 at 15:55 -0500, Michael Gilbert wrote:
> I can't imagine anyone else being put through such a arduous process
> to try an experiment for a couple months. Why does it have to be so
> difficult?

Because noone else wants Wheezy to be stuck at 2.6.32 when 2.6.37/38 are
available.

Regards,
--
Yves-Alexis
 
Old 02-19-2011, 08:28 PM
Bastian Blank
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, Feb 19, 2011 at 03:55:03PM -0500, Michael Gilbert wrote:
> Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
>
> Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> Conclusion: hypothesis verified

Actually you did not yet proof this. Please do it.

> Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> Evidence: to be collected # vulnerabilities in squeeze and wheezy
> Conclusion: to be determined
>
> Hypothesis 2: using an older kernel version makes less work to provide CUT
>
> Criteria: how often CUT target release date is met
> Evidence: to be collected monthly release date by retaining 2.6.32 and monthly
> for standard unstable->testing transitions
> (note: requires a 2.6.32-only period for reference)
> Conclusion: to be determined

Hypothesis 3: Testing users wants old software

Criteria: to be determined
Evidence: easy
Conclusion: sorry, no chance

> I can't imagine anyone else being put through such a arduous process
> to try an experiment for a couple months. Why does it have to be so
> difficult?

You can run you little experiment. For blocking packages please persuade
the release team as responsible entity within Debian.

Bastian

--
The joys of love made her human and the agonies of love destroyed her.
-- Spock, "Requiem for Methuselah", stardate 5842.8


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219212817.GA27318@wavehammer.waldi.eu.org">ht tp://lists.debian.org/20110219212817.GA27318@wavehammer.waldi.eu.org
 
Old 02-19-2011, 08:39 PM
Ben Hutchings
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 2011-02-19 at 15:55 -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 20:30:47 +0000 Ben Hutchings wrote:
>
> > On Sat, 2011-02-19 at 14:59 -0500, Michael Gilbert wrote:
> > > On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote:
> > [...]
> > > > > Again, if the user is interested in such new developments, they will
> > > > > need to be willing to learn how to run an unstable system.
> > > >
> > > > I thought that users interested in new stuff were supposed to run CUT.
> > >
> > > Most packages will in fact be new, just the kernel and reverse
> > > dependencies will be held back. Hence CUT users will get 99% new
> > > stuff (with respect to stable), and a tiny bit held back simply for
> > > stability. Like I've said a couple times now, its a balancing act.
> > >
> > > All I'm asking for is a few month long experiment. And if the
> > > experiment shows signs of flaws/weaknesses, then the blocker can
> > > certainly be lifted.
> >
> > If an experiment is to have any validity, the hypothesis and the
> > criteria for assessing the outcome must be decided in advance. If you
> > can do that, perhaps you will persuade some people that this is worth
> > doing.
>
> Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
>
> Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> Conclusion: hypothesis verified
>
> Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> Evidence: to be collected # vulnerabilities in squeeze and wheezy
> Conclusion: to be determined

This experiment does not require that the propagation of kernel packages
into testing is changed.

> Hypothesis 2: using an older kernel version makes less work to provide CUT
>
> Criteria: how often CUT target release date is met
> Evidence: to be collected monthly release date by retaining 2.6.32 and monthly
> for standard unstable->testing transitions
> (note: requires a 2.6.32-only period for reference)
> Conclusion: to be determined

OK, that's a real experiment. However I suspect there will be many
confounding factors that make it difficult to single out any one cause
for delays.

> I can't imagine anyone else being put through such a arduous process
> to try an experiment for a couple months. Why does it have to be so
> difficult?

Because this experiment would involve many thousands of users, and you
have to convince other developers that the benefit to these users may be
worth the cost.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
 
Old 02-19-2011, 08:58 PM
Michael Gilbert
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 19 Feb 2011 22:28:17 +0100 Bastian Blank wrote:

> On Sat, Feb 19, 2011 at 03:55:03PM -0500, Michael Gilbert wrote:
> > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> >
> > Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> > Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > Conclusion: hypothesis verified
>
> Actually you did not yet proof this. Please do it.

I did verify it for the timeframe of the LWN study. Actually, there is
no such thing as a proof ; I suppose I could do a more thorough study
using the detailed kernel-sec data over the entire squeeze development
cycle...but that may take a while since I don't have much free time
any more.

> > Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> > Evidence: to be collected # vulnerabilities in squeeze and wheezy
> > Conclusion: to be determined
> >
> > Hypothesis 2: using an older kernel version makes less work to provide CUT
> >
> > Criteria: how often CUT target release date is met
> > Evidence: to be collected monthly release date by retaining 2.6.32 and monthly
> > for standard unstable->testing transitions
> > (note: requires a 2.6.32-only period for reference)
> > Conclusion: to be determined
>
> Hypothesis 3: Testing users wants old software
>
> Criteria: to be determined
> Evidence: easy
> Conclusion: sorry, no chance

Users have a variety of desires. It's the developers job to make the
best overall decision regardless of users' immediate demands. The
release team fights with this all the time during the freeze (users
want new software, but the risk of breakage outweighs their immediate
wants).

> > I can't imagine anyone else being put through such a arduous process
> > to try an experiment for a couple months. Why does it have to be so
> > difficult?
>
> You can run you little experiment. For blocking packages please persuade
> the release team as responsible entity within Debian.

Isn't it the kernel team that I need to convince? That's what this
discussion is all about.

Thanks,
Mike


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219165850.dbb02549.michael.s.gilbert@gmail.co m">http://lists.debian.org/20110219165850.dbb02549.michael.s.gilbert@gmail.co m
 
Old 02-19-2011, 09:40 PM
Michael Gilbert
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, 19 Feb 2011 21:39:03 +0000 Ben Hutchings wrote:
> > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> >
> > Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> > Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > Conclusion: hypothesis verified
> >
> > Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> > Evidence: to be collected # vulnerabilities in squeeze and wheezy
> > Conclusion: to be determined
>
> This experiment does not require that the propagation of kernel packages
> into testing is changed.

OK, revised hypothesis 1: using 2.6.32 in wheezy for the first year of its development
will result in fewer vulnerabilities

Criteria: fewer vulnerabilities in wheezy/2.6.32 vs unstable kernel over 1 year period
Evidence: to be collected # vulnerabilities affecting 2.6.32 and kernel in
unstable at the same time
Conclusion: to be determined

> > I can't imagine anyone else being put through such a arduous process
> > to try an experiment for a couple months. Why does it have to be so
> > difficult?
>
> Because this experiment would involve many thousands of users, and you
> have to convince other developers that the benefit to these users may be
> worth the cost.

OK, are you sufficiently convinced to give me a chance at this
experiment, at least for a couple months???

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219174028.adc96d08.michael.s.gilbert@gmail.co m">http://lists.debian.org/20110219174028.adc96d08.michael.s.gilbert@gmail.co m
 
Old 02-19-2011, 10:25 PM
Bastian Blank
 
Default For discussion: security support strategy for the wheezy kernel

On Sat, Feb 19, 2011 at 04:58:50PM -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 22:28:17 +0100 Bastian Blank wrote:
> > On Sat, Feb 19, 2011 at 03:55:03PM -0500, Michael Gilbert wrote:
> > > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> > > Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > Actually you did not yet proof this. Please do it.
> I did verify it for the timeframe of the LWN study.

The LWN study is for a wrong time frame. We speak about .26-.32 here,
not .33-.36. Also it does not take stable kernel releases into account.

> > Hypothesis 3: Testing users wants old software
> > Criteria: to be determined
> > Evidence: easy
> > Conclusion: sorry, no chance
> Users have a variety of desires.

Yes. Stable users uses stable. So you have to show that a majority of
users uses testing not to get new hardware support/new software.

> > > I can't imagine anyone else being put through such a arduous process
> > > to try an experiment for a couple months. Why does it have to be so
> > > difficult?
> > You can run you little experiment. For blocking packages please persuade
> > the release team as responsible entity within Debian.
> Isn't it the kernel team that I need to convince? That's what this
> discussion is all about.

You were not able to convince one person of the kernel team. And I still
don't see what this experiment would provide for the _users_ (I
explicitely exclude your effort, because our priority are the users and
not your experiment).

Bastian

--
Time is fluid ... like a river with currents, eddies, backwash.
-- Spock, "The City on the Edge of Forever", stardate 3134.0


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110219232526.GA28674@wavehammer.waldi.eu.org">ht tp://lists.debian.org/20110219232526.GA28674@wavehammer.waldi.eu.org
 
Old 02-20-2011, 06:24 AM
Lucas Nussbaum
 
Default For discussion: security support strategy for the wheezy kernel

On 19/02/11 at 17:40 -0500, Michael Gilbert wrote:
> On Sat, 19 Feb 2011 21:39:03 +0000 Ben Hutchings wrote:
> > > Hypothesis 1: using an older kernel in testing results in fewer vulnerabilities
> > >
> > > Criteria: fewer vulnerabilities in lenny than squeeze during squeeze testing cycle
> > > Evidence: lenny's kernel was vulnerable to 67% of the vulnerabilities that squeeze
> > > Conclusion: hypothesis verified
> > >
> > > Criteria: fewer vulnerabilities in squeeze than wheezy during wheezy testing cycle
> > > Evidence: to be collected # vulnerabilities in squeeze and wheezy
> > > Conclusion: to be determined
> >
> > This experiment does not require that the propagation of kernel packages
> > into testing is changed.
>
> OK, revised hypothesis 1: using 2.6.32 in wheezy for the first year of its development
> will result in fewer vulnerabilities
>
> Criteria: fewer vulnerabilities in wheezy/2.6.32 vs unstable kernel over 1 year period
> Evidence: to be collected # vulnerabilities affecting 2.6.32 and kernel in
> unstable at the same time
> Conclusion: to be determined
>
> > > I can't imagine anyone else being put through such a arduous process
> > > to try an experiment for a couple months. Why does it have to be so
> > > difficult?
> >
> > Because this experiment would involve many thousands of users, and you
> > have to convince other developers that the benefit to these users may be
> > worth the cost.
>
> OK, are you sufficiently convinced to give me a chance at this
> experiment, at least for a couple months???

I don't understand why you think that testing or CUT users want an "old"
kernel, but want to run recent software for everything else on their
system.

Also, you need to see the downsides of this proposed experiment. By not
upgrading the kernel in testing, you will limit the amount of testing
that the new kernel will receive. That could, in turn, cause more bugs
to be found late in the wheezy release process, making it harder to
reach a newer stable kernel.
Or are you suggesting that we stay with 2.6.32 forever?

- Lucas


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110220072432.GA7463@xanadu.blop.info">http://lists.debian.org/20110220072432.GA7463@xanadu.blop.info
 

Thread Tools




All times are GMT. The time now is 02:06 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org