* Any objections to removing linux-libre@4.1? @ 2017-06-04 6:11 Mark H Weaver 2017-06-04 16:31 ` Leo Famulari ` (2 more replies) 0 siblings, 3 replies; 9+ messages in thread From: Mark H Weaver @ 2017-06-04 6:11 UTC (permalink / raw) To: guix-devel Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like to remove it. Upstream security updates for it seem to be quite infrequent (2.5 months between the last two releases), and the recent update to 4.1.40 neglected to include a fix for CVE-2017-6074, which does not inspire confidence. What do you think? Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver @ 2017-06-04 16:31 ` Leo Famulari 2017-06-04 19:54 ` Mark H Weaver 2017-06-04 21:47 ` Mark H Weaver 2017-06-04 21:19 ` Ludovic Courtès 2017-06-08 14:33 ` Ricardo Wurmus 2 siblings, 2 replies; 9+ messages in thread From: Leo Famulari @ 2017-06-04 16:31 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1374 bytes --] On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote: > Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like > to remove it. > > Upstream security updates for it seem to be quite infrequent (2.5 months > between the last two releases), and the recent update to 4.1.40 > neglected to include a fix for CVE-2017-6074, which does not inspire > confidence. > > What do you think? I don't have a strong objection. If somebody needs this particular Linux release series later, it will not be difficult for them to recreate. On the other hand, the 4.1 series has been selected for the Linux Foundation's Long Term Support Initiative. This program will support Linux releases for longer than usual, so 4.1 will be in use for longer than most of the Linux LTS releases. Besides, kernel bugs are not rare. More will be found and disclosed, and some will be found and kept private :/ I recommend waiting a few days for more comments. IIRC, we kept this particular series to work around some bugs related to GuixSD and Libreboot. So, there were some people using it. I'd hate to "strand" existing users who might not notice that they are not receiving updates to the 'linux-4.1' package they've specified in their GuixSD configuration. If Hydra resources are a concern, perhaps we could keep the package but not build it. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 16:31 ` Leo Famulari @ 2017-06-04 19:54 ` Mark H Weaver 2017-06-04 21:47 ` Mark H Weaver 1 sibling, 0 replies; 9+ messages in thread From: Mark H Weaver @ 2017-06-04 19:54 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> writes: > On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote: >> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like >> to remove it. >> >> Upstream security updates for it seem to be quite infrequent (2.5 months >> between the last two releases), and the recent update to 4.1.40 >> neglected to include a fix for CVE-2017-6074, which does not inspire >> confidence. >> >> What do you think? > > I don't have a strong objection. If somebody needs this particular Linux release > series later, it will not be difficult for them to recreate. > > On the other hand, the 4.1 series has been selected for the Linux Foundation's > Long Term Support Initiative. This program will support Linux releases for > longer than usual, so 4.1 will be in use for longer than most of the Linux LTS > releases. > > Besides, kernel bugs are not rare. More will be found and disclosed, and some > will be found and kept private :/ Sure, but the 4.9 and 4.4 series kernels receive security updates quite promptly, whereas the upstream 4.1 kernel has been vulnerable to CVE-2017-6074 for several months without an update, and when the update finally came, it neglected to include a fix for it. > I recommend waiting a few days for more comments. IIRC, we kept this particular > series to work around some bugs related to GuixSD and Libreboot. So, there were > some people using it. I'd hate to "strand" existing users who might not notice > that they are not receiving updates to the 'linux-4.1' package they've specified > in their GuixSD configuration. Yes, of course, that's why I asked. If some Libreboot users still need 4.1, then we'll keep it. However, I have a vague recollection of hearing that the problem with Libreboot has since been resolved. > If Hydra resources are a concern, perhaps we could keep the package but not > build it. No, my only concern is that I've lost confidence in the security of the 4.1 kernels. Regards, Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 16:31 ` Leo Famulari 2017-06-04 19:54 ` Mark H Weaver @ 2017-06-04 21:47 ` Mark H Weaver 2017-06-05 21:46 ` Leo Famulari 1 sibling, 1 reply; 9+ messages in thread From: Mark H Weaver @ 2017-06-04 21:47 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel I forgot to mention: Leo Famulari <leo@famulari.name> writes: > I'd hate to "strand" existing users who might not notice that they are > not receiving updates to the 'linux-4.1' package they've specified in > their GuixSD configuration. I think they could not fail to notice, because if we removed it, any attempt to build a system with linux-libre-4.1 would fail immediately. Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 21:47 ` Mark H Weaver @ 2017-06-05 21:46 ` Leo Famulari 2017-06-06 0:59 ` Mark H Weaver 0 siblings, 1 reply; 9+ messages in thread From: Leo Famulari @ 2017-06-05 21:46 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 548 bytes --] On Sun, Jun 04, 2017 at 05:47:41PM -0400, Mark H Weaver wrote: > I forgot to mention: > > Leo Famulari <leo@famulari.name> writes: > > I'd hate to "strand" existing users who might not notice that they are > > not receiving updates to the 'linux-4.1' package they've specified in > > their GuixSD configuration. > > I think they could not fail to notice, because if we removed it, any > attempt to build a system with linux-libre-4.1 would fail immediately. Ah, right. I was thinking of `guix package -u .` for out-of-tree packages. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-05 21:46 ` Leo Famulari @ 2017-06-06 0:59 ` Mark H Weaver 0 siblings, 0 replies; 9+ messages in thread From: Mark H Weaver @ 2017-06-06 0:59 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> writes: > On Sun, Jun 04, 2017 at 05:47:41PM -0400, Mark H Weaver wrote: >> I forgot to mention: >> >> Leo Famulari <leo@famulari.name> writes: >> > I'd hate to "strand" existing users who might not notice that they are >> > not receiving updates to the 'linux-4.1' package they've specified in >> > their GuixSD configuration. >> >> I think they could not fail to notice, because if we removed it, any >> attempt to build a system with linux-libre-4.1 would fail immediately. > > Ah, right. I was thinking of `guix package -u .` for out-of-tree packages. Thanks for reminding me about this issue with "guix package -u". I just filed a bug about this: https://bugs.gnu.org/27261 Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver 2017-06-04 16:31 ` Leo Famulari @ 2017-06-04 21:19 ` Ludovic Courtès 2017-06-08 14:33 ` Ricardo Wurmus 2 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-06-04 21:19 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Mark H Weaver <mhw@netris.org> skribis: > Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like > to remove it. > > Upstream security updates for it seem to be quite infrequent (2.5 months > between the last two releases), and the recent update to 4.1.40 > neglected to include a fix for CVE-2017-6074, which does not inspire > confidence. > > What do you think? No objection from me. Thank you, Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver 2017-06-04 16:31 ` Leo Famulari 2017-06-04 21:19 ` Ludovic Courtès @ 2017-06-08 14:33 ` Ricardo Wurmus 2017-06-09 16:50 ` Mark H Weaver 2 siblings, 1 reply; 9+ messages in thread From: Ricardo Wurmus @ 2017-06-08 14:33 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Mark H Weaver <mhw@netris.org> writes: > Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like > to remove it. Is this not the only version of Linux libre that does not expose the system clock bug Libreboot users suffer from? I’m still using 4.1 on one of my machines for that reason until I can upgrade Libreboot. > Upstream security updates for it seem to be quite infrequent (2.5 months > between the last two releases), and the recent update to 4.1.40 > neglected to include a fix for CVE-2017-6074, which does not inspire > confidence. Indeed. Thank you for checking. > What do you think? It would be nice if it turned out that I’m wrong about 4.1 being needed for older versions of Libreboot. That’s my only objection to removing it, but since that can be fixed by upgrading to a more recent Libreboot (although that may be messy) I think it’s okay to remove it. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Any objections to removing linux-libre@4.1? 2017-06-08 14:33 ` Ricardo Wurmus @ 2017-06-09 16:50 ` Mark H Weaver 0 siblings, 0 replies; 9+ messages in thread From: Mark H Weaver @ 2017-06-09 16:50 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel Ricardo Wurmus <rekado@elephly.net> writes: > Mark H Weaver <mhw@netris.org> writes: > >> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like >> to remove it. > > Is this not the only version of Linux libre that does not expose the > system clock bug Libreboot users suffer from? I don't know. I had a vague recollection of hearing that the problem has since been resolved, but I'm not sure. > I’m still using 4.1 on one of my machines for that reason until I can > upgrade Libreboot. Okay, we can hold off on removing it for now. However, Sasha Levin (the upstream linux-4.1.x maintainer) told me that this series will reach end-of-life in 2 months, at which point it will stop receiving security updates. At that point we'll need to remove 4.1 and find another solution for Libreboot users, if needed. One option would be to add a much older LTS kernel. Of those, the most well maintained (judging solely by the dates of their most recent release) seem to be 3.16 and 3.2. Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-06-09 16:50 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-06-04 6:11 Any objections to removing linux-libre@4.1? Mark H Weaver 2017-06-04 16:31 ` Leo Famulari 2017-06-04 19:54 ` Mark H Weaver 2017-06-04 21:47 ` Mark H Weaver 2017-06-05 21:46 ` Leo Famulari 2017-06-06 0:59 ` Mark H Weaver 2017-06-04 21:19 ` Ludovic Courtès 2017-06-08 14:33 ` Ricardo Wurmus 2017-06-09 16:50 ` Mark H Weaver
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.