Mailinglist Archive: opensuse-security (555 mails)
| < Previous | Next > |
Re: [suse-security] Kernel security
- From: Steffen Dettmer <steffen@xxxxxxx>
- Date: Wed, 9 May 2001 11:50:41 +0200
- Message-id: <20010509115041.G3483@xxxxxxxxx>
* Markus Gaugusch wrote on Wed, May 09, 2001 at 10:02 +0200:
> > ssh? cron? syslog? ntp?
> they are much easier to build, than a kernel. Kernel means really high
> complexity for the distributor, because it has to run on many, many, many,
> MANY different machines.
I agree, and SuSE demonstrated that even ordinary RPMs are not
trival, since the depencies may have changed on build host, which
could make the rebuild RPM unusable on other hosts.
> What I wanted to say, is, that the kernel is so special, that every admin
> should know, how to build it, and apply patches. Just like very windoze
> user knows how to reboot ...
I think I know how to build a kernel, and I built a lot of. But I
don't want to do it, and make a useful kernel RPM is another task
than just building a kernel. Remember modules like freeswan.
> > I must disagree on this point. Does everyone that drives a
> > car know how to fix it? I sure don't.
> No, but people driving through the desert should at least be able to
> change the tires if one gets damaged.
So a admin must be able to change/update a kernel RPM supplied by
the vendor according to the update instructions, not more.
> The internet is a hard place, and admins must be able to
> survive there.
Building kernels is more complex than it seems to be, there are a
lot of patches for some device drivers, patches with interfere
each other, like kerneli and freeswan and others.
From my point of view it's not nessacary for every admin to
reinvent the wheel (or a kernel RPM), it should be task of the
vendor. But currently there are problems (missing announcements,
missing kernel module updates and others).
I asked already on this list, let me repeat my question:
Which kernel RPM (without the <2.2.18 ptrace bug) is working with
with distribution? Are the kernel depended packages (like
freeswan) available? Usually it's nessasary to update them as
well - at least when changing the kernel version.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
> > ssh? cron? syslog? ntp?
> they are much easier to build, than a kernel. Kernel means really high
> complexity for the distributor, because it has to run on many, many, many,
> MANY different machines.
I agree, and SuSE demonstrated that even ordinary RPMs are not
trival, since the depencies may have changed on build host, which
could make the rebuild RPM unusable on other hosts.
> What I wanted to say, is, that the kernel is so special, that every admin
> should know, how to build it, and apply patches. Just like very windoze
> user knows how to reboot ...
I think I know how to build a kernel, and I built a lot of. But I
don't want to do it, and make a useful kernel RPM is another task
than just building a kernel. Remember modules like freeswan.
> > I must disagree on this point. Does everyone that drives a
> > car know how to fix it? I sure don't.
> No, but people driving through the desert should at least be able to
> change the tires if one gets damaged.
So a admin must be able to change/update a kernel RPM supplied by
the vendor according to the update instructions, not more.
> The internet is a hard place, and admins must be able to
> survive there.
Building kernels is more complex than it seems to be, there are a
lot of patches for some device drivers, patches with interfere
each other, like kerneli and freeswan and others.
From my point of view it's not nessacary for every admin to
reinvent the wheel (or a kernel RPM), it should be task of the
vendor. But currently there are problems (missing announcements,
missing kernel module updates and others).
I asked already on this list, let me repeat my question:
Which kernel RPM (without the <2.2.18 ptrace bug) is working with
with distribution? Are the kernel depended packages (like
freeswan) available? Usually it's nessasary to update them as
well - at least when changing the kernel version.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
| < Previous | Next > |