Dear SuSE Security Team! I know that you are working hard, but today I read a posting on www.linux-community.de (german linux forum), where they noted that all major distributors [except SuSE!] have published a kernel update. This posting is 2 days old! It makes me a little bit sad, because I'm really a SuSE fan, but the speed of the security team is in some cases not the best (from my experience: especially with kernels). I know the strategy, that only old versions get fixed. Why can't you (in such a severe case) just get the original kernel source, compile it, make a binary diff with the one on the distribution (to be sure), patch it, and get it out? I'm very sure, that the next kernel update will address more issues. But if those issues need testing that slows down security fixes, I'm a bit unsure about your strategy. Markus PS: I've seen that the update kernel on 9.0 contains stack overflow protection - I've been waiting for that for Years! But at least it is there now :-)) -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hi Markus,
Dear SuSE Security Team! I know that you are working hard, but today I read a posting on www.linux-community.de (german linux forum), where they noted that all major distributors [except SuSE!] have published a kernel update. This posting is 2 days old! It makes me a little bit sad, because I'm really a SuSE fan, but the speed of the security team is in some cases not the best (from my experience: especially with kernels). I know the strategy, that only old versions get fixed. Why can't you (in such a severe case) just get the original kernel source, compile it, make a binary diff with the one on the distribution (to be sure), patch it, and get it out? I'm very sure, that the next kernel update will address more issues. But if those issues need testing that slows down security fixes, I'm a bit unsure about your strategy.
The strategy is clear: Get that stuff out as soon as possible, and make sure under all circumstances that the customer's machines will boot after the update. It's just that you can't make sure that the QA for such an update happens momentarily, even though all resources are working on it.
Markus PS: I've seen that the update kernel on 9.0 contains stack overflow protection - I've been waiting for that for Years! But at least it is there now :-))
If you guys are running rsync servers, you should disable these until our update packages are out. Roman.
On Dec 4, Roman Drahtmueller
The strategy is clear: Get that stuff out as soon as possible, and make sure under all circumstances that the customer's machines will boot after the update. Right. But are the 3 other major distributors not having such a good QA? In my opinion, you are putting more fixes into the kernel than necessary for this particular bug. And this is costing time. (Of course my postings are also costing your time, but I'm trying to be constructive!) We surely don't want to update our kernels every other week, but everyone of us has critical systems that need to be protected. If I can't rely on the distribution kernel and have to do it myself, it is wasted time for you to put so much effort in it! I've also heard, that the ulimit workaround "fixes" only one of three cases of possible break-in, so it is not a solution.
It's just that you can't make sure that the QA for such an update happens momentarily, even though all resources are working on it. I assume that your ressources are overloaded, and people can't assume the fastest service for buying a 90 EUR box product. But even the debian people made it, although they had this horrible break-in.
PS: I've seen that the update kernel on 9.0 contains stack overflow protection - I've been waiting for that for Years! But at least it is there now :-)) If you guys are running rsync servers, you should disable these until our update packages are out. It is available over YOU - is there something wrong with that one?
kind regards, Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
It's just that you can't make sure that the QA for such an update happens momentarily, even though all resources are working on it. I assume that your ressources are overloaded, and people can't assume the fastest service for buying a 90 EUR box product. But even the debian people made it, although they had this horrible break-in.
You'll see a demonstration of speed today. I don't want to compare SUSE to Debian and vice versa. Yes, they do an excellent job, absolutely no doubt. But we're handling 5 distributions and similarly many business products on more than 6 architectures, and we have different requirements for QA than anybody else (all Distros). The overall comparison should be quite positive for SUSE, especially if you take into account that we have been using several weeks (sometimes) for low-profile bugs, while the low profile ones have been passed every now and then by one or more high profile bugs. We handle those quite quickly.
PS: I've seen that the update kernel on 9.0 contains stack overflow protection - I've been waiting for that for Years! But at least it is there now :-)) If you guys are running rsync servers, you should disable these until our update packages are out. It is available over YOU - is there something wrong with that one?
There will be new ones, shortly. Roman.
participants (2)
-
Markus Gaugusch
-
Roman Drahtmueller