* Any objections to removing linux-libre@4.1?
@ 2017-06-04 6:11 Mark H Weaver
2017-06-04 16:31 ` Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Mark H Weaver @ 2017-06-04 6:11 UTC (permalink / raw)
To: guix-devel
Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
to remove it.
Upstream security updates for it seem to be quite infrequent (2.5 months
between the last two releases), and the recent update to 4.1.40
neglected to include a fix for CVE-2017-6074, which does not inspire
confidence.
What do you think?
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver
@ 2017-06-04 16:31 ` Leo Famulari
2017-06-04 19:54 ` Mark H Weaver
2017-06-04 21:47 ` Mark H Weaver
2017-06-04 21:19 ` Ludovic Courtès
2017-06-08 14:33 ` Ricardo Wurmus
2 siblings, 2 replies; 9+ messages in thread
From: Leo Famulari @ 2017-06-04 16:31 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]
On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote:
> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
> to remove it.
>
> Upstream security updates for it seem to be quite infrequent (2.5 months
> between the last two releases), and the recent update to 4.1.40
> neglected to include a fix for CVE-2017-6074, which does not inspire
> confidence.
>
> What do you think?
I don't have a strong objection. If somebody needs this particular Linux release
series later, it will not be difficult for them to recreate.
On the other hand, the 4.1 series has been selected for the Linux Foundation's
Long Term Support Initiative. This program will support Linux releases for
longer than usual, so 4.1 will be in use for longer than most of the Linux LTS
releases.
Besides, kernel bugs are not rare. More will be found and disclosed, and some
will be found and kept private :/
I recommend waiting a few days for more comments. IIRC, we kept this particular
series to work around some bugs related to GuixSD and Libreboot. So, there were
some people using it. I'd hate to "strand" existing users who might not notice
that they are not receiving updates to the 'linux-4.1' package they've specified
in their GuixSD configuration.
If Hydra resources are a concern, perhaps we could keep the package but not
build it.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 16:31 ` Leo Famulari
@ 2017-06-04 19:54 ` Mark H Weaver
2017-06-04 21:47 ` Mark H Weaver
1 sibling, 0 replies; 9+ messages in thread
From: Mark H Weaver @ 2017-06-04 19:54 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote:
>> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
>> to remove it.
>>
>> Upstream security updates for it seem to be quite infrequent (2.5 months
>> between the last two releases), and the recent update to 4.1.40
>> neglected to include a fix for CVE-2017-6074, which does not inspire
>> confidence.
>>
>> What do you think?
>
> I don't have a strong objection. If somebody needs this particular Linux release
> series later, it will not be difficult for them to recreate.
>
> On the other hand, the 4.1 series has been selected for the Linux Foundation's
> Long Term Support Initiative. This program will support Linux releases for
> longer than usual, so 4.1 will be in use for longer than most of the Linux LTS
> releases.
>
> Besides, kernel bugs are not rare. More will be found and disclosed, and some
> will be found and kept private :/
Sure, but the 4.9 and 4.4 series kernels receive security updates quite
promptly, whereas the upstream 4.1 kernel has been vulnerable to
CVE-2017-6074 for several months without an update, and when the update
finally came, it neglected to include a fix for it.
> I recommend waiting a few days for more comments. IIRC, we kept this particular
> series to work around some bugs related to GuixSD and Libreboot. So, there were
> some people using it. I'd hate to "strand" existing users who might not notice
> that they are not receiving updates to the 'linux-4.1' package they've specified
> in their GuixSD configuration.
Yes, of course, that's why I asked. If some Libreboot users still need
4.1, then we'll keep it. However, I have a vague recollection of
hearing that the problem with Libreboot has since been resolved.
> If Hydra resources are a concern, perhaps we could keep the package but not
> build it.
No, my only concern is that I've lost confidence in the security of the
4.1 kernels.
Regards,
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver
2017-06-04 16:31 ` Leo Famulari
@ 2017-06-04 21:19 ` Ludovic Courtès
2017-06-08 14:33 ` Ricardo Wurmus
2 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2017-06-04 21:19 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> skribis:
> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
> to remove it.
>
> Upstream security updates for it seem to be quite infrequent (2.5 months
> between the last two releases), and the recent update to 4.1.40
> neglected to include a fix for CVE-2017-6074, which does not inspire
> confidence.
>
> What do you think?
No objection from me.
Thank you,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 16:31 ` Leo Famulari
2017-06-04 19:54 ` Mark H Weaver
@ 2017-06-04 21:47 ` Mark H Weaver
2017-06-05 21:46 ` Leo Famulari
1 sibling, 1 reply; 9+ messages in thread
From: Mark H Weaver @ 2017-06-04 21:47 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
I forgot to mention:
Leo Famulari <leo@famulari.name> writes:
> I'd hate to "strand" existing users who might not notice that they are
> not receiving updates to the 'linux-4.1' package they've specified in
> their GuixSD configuration.
I think they could not fail to notice, because if we removed it, any
attempt to build a system with linux-libre-4.1 would fail immediately.
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 21:47 ` Mark H Weaver
@ 2017-06-05 21:46 ` Leo Famulari
2017-06-06 0:59 ` Mark H Weaver
0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2017-06-05 21:46 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 548 bytes --]
On Sun, Jun 04, 2017 at 05:47:41PM -0400, Mark H Weaver wrote:
> I forgot to mention:
>
> Leo Famulari <leo@famulari.name> writes:
> > I'd hate to "strand" existing users who might not notice that they are
> > not receiving updates to the 'linux-4.1' package they've specified in
> > their GuixSD configuration.
>
> I think they could not fail to notice, because if we removed it, any
> attempt to build a system with linux-libre-4.1 would fail immediately.
Ah, right. I was thinking of `guix package -u .` for out-of-tree packages.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-05 21:46 ` Leo Famulari
@ 2017-06-06 0:59 ` Mark H Weaver
0 siblings, 0 replies; 9+ messages in thread
From: Mark H Weaver @ 2017-06-06 0:59 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> On Sun, Jun 04, 2017 at 05:47:41PM -0400, Mark H Weaver wrote:
>> I forgot to mention:
>>
>> Leo Famulari <leo@famulari.name> writes:
>> > I'd hate to "strand" existing users who might not notice that they are
>> > not receiving updates to the 'linux-4.1' package they've specified in
>> > their GuixSD configuration.
>>
>> I think they could not fail to notice, because if we removed it, any
>> attempt to build a system with linux-libre-4.1 would fail immediately.
>
> Ah, right. I was thinking of `guix package -u .` for out-of-tree packages.
Thanks for reminding me about this issue with "guix package -u".
I just filed a bug about this:
https://bugs.gnu.org/27261
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver
2017-06-04 16:31 ` Leo Famulari
2017-06-04 21:19 ` Ludovic Courtès
@ 2017-06-08 14:33 ` Ricardo Wurmus
2017-06-09 16:50 ` Mark H Weaver
2 siblings, 1 reply; 9+ messages in thread
From: Ricardo Wurmus @ 2017-06-08 14:33 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> writes:
> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
> to remove it.
Is this not the only version of Linux libre that does not expose the
system clock bug Libreboot users suffer from?
I’m still using 4.1 on one of my machines for that reason until I can
upgrade Libreboot.
> Upstream security updates for it seem to be quite infrequent (2.5 months
> between the last two releases), and the recent update to 4.1.40
> neglected to include a fix for CVE-2017-6074, which does not inspire
> confidence.
Indeed. Thank you for checking.
> What do you think?
It would be nice if it turned out that I’m wrong about 4.1 being needed
for older versions of Libreboot. That’s my only objection to removing
it, but since that can be fixed by upgrading to a more recent Libreboot
(although that may be messy) I think it’s okay to remove it.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1?
2017-06-08 14:33 ` Ricardo Wurmus
@ 2017-06-09 16:50 ` Mark H Weaver
0 siblings, 0 replies; 9+ messages in thread
From: Mark H Weaver @ 2017-06-09 16:50 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Ricardo Wurmus <rekado@elephly.net> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
>> to remove it.
>
> Is this not the only version of Linux libre that does not expose the
> system clock bug Libreboot users suffer from?
I don't know. I had a vague recollection of hearing that the problem
has since been resolved, but I'm not sure.
> I’m still using 4.1 on one of my machines for that reason until I can
> upgrade Libreboot.
Okay, we can hold off on removing it for now. However, Sasha Levin (the
upstream linux-4.1.x maintainer) told me that this series will reach
end-of-life in 2 months, at which point it will stop receiving security
updates. At that point we'll need to remove 4.1 and find another
solution for Libreboot users, if needed. One option would be to add a
much older LTS kernel. Of those, the most well maintained (judging
solely by the dates of their most recent release) seem to be 3.16 and
3.2.
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-06-09 16:50 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver
2017-06-04 16:31 ` Leo Famulari
2017-06-04 19:54 ` Mark H Weaver
2017-06-04 21:47 ` Mark H Weaver
2017-06-05 21:46 ` Leo Famulari
2017-06-06 0:59 ` Mark H Weaver
2017-06-04 21:19 ` Ludovic Courtès
2017-06-08 14:33 ` Ricardo Wurmus
2017-06-09 16:50 ` Mark H Weaver
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).