From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: Any objections to removing linux-libre@4.1? Date: Sun, 04 Jun 2017 15:54:45 -0400 Message-ID: <87shjfv88q.fsf@netris.org> References: <87wp8suvs4.fsf@netris.org> <20170604163130.GA14880@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48210) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dHbcP-0004c6-Aa for guix-devel@gnu.org; Sun, 04 Jun 2017 15:55:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dHbcM-0008Jo-8Q for guix-devel@gnu.org; Sun, 04 Jun 2017 15:55:21 -0400 Received: from world.peace.net ([50.252.239.5]:54648) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dHbcM-0008JM-3Z for guix-devel@gnu.org; Sun, 04 Jun 2017 15:55:18 -0400 In-Reply-To: <20170604163130.GA14880@jasmine> (Leo Famulari's message of "Sun, 4 Jun 2017 12:31:30 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote: >> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like >> to remove it. >> >> Upstream security updates for it seem to be quite infrequent (2.5 months >> between the last two releases), and the recent update to 4.1.40 >> neglected to include a fix for CVE-2017-6074, which does not inspire >> confidence. >> >> What do you think? > > I don't have a strong objection. If somebody needs this particular Linux release > series later, it will not be difficult for them to recreate. > > On the other hand, the 4.1 series has been selected for the Linux Foundation's > Long Term Support Initiative. This program will support Linux releases for > longer than usual, so 4.1 will be in use for longer than most of the Linux LTS > releases. > > Besides, kernel bugs are not rare. More will be found and disclosed, and some > will be found and kept private :/ Sure, but the 4.9 and 4.4 series kernels receive security updates quite promptly, whereas the upstream 4.1 kernel has been vulnerable to CVE-2017-6074 for several months without an update, and when the update finally came, it neglected to include a fix for it. > I recommend waiting a few days for more comments. IIRC, we kept this particular > series to work around some bugs related to GuixSD and Libreboot. So, there were > some people using it. I'd hate to "strand" existing users who might not notice > that they are not receiving updates to the 'linux-4.1' package they've specified > in their GuixSD configuration. Yes, of course, that's why I asked. If some Libreboot users still need 4.1, then we'll keep it. However, I have a vague recollection of hearing that the problem with Libreboot has since been resolved. > If Hydra resources are a concern, perhaps we could keep the package but not > build it. No, my only concern is that I've lost confidence in the security of the 4.1 kernels. Regards, Mark