Mailinglist Archive: opensuse-security (555 mails)

< Previous Next >
Re: [suse-security] Kernel security
> I agree, and SuSE demonstrated that even ordinary RPMs are not
> trival, since the depencies may have changed on build host, which
> could make the rebuild RPM unusable on other hosts.

$ rpm -qpl k_deflt.rpm |grep /modules/|wc -l

The upcoming 2.4 kernel: 1117 kernel modules.
Needless to say that this is a bit worksome.

> > What I wanted to say, is, that the kernel is so special, that every admin
> > should know, how to build it, and apply patches. Just like very windoze
> > user knows how to reboot ...
> I think I know how to build a kernel, and I built a lot of. But I
> don't want to do it, and make a useful kernel RPM is another task
> than just building a kernel. Remember modules like freeswan.

That's where we still have a problem: freeswan. It is one of the few
packages that have their own kernel module (usually the modules are inside
the kernel rpm).

> Building kernels is more complex than it seems to be, there are a
> lot of patches for some device drivers, patches with interfere
> each other, like kerneli and freeswan and others.
> >From my point of view it's not nessacary for every admin to
> reinvent the wheel (or a kernel RPM), it should be task of the
> vendor. But currently there are problems (missing announcements,
> missing kernel module updates and others).

It's as with cars: In the beginning, everybody must have been able to take
apart the engine to repair it. Later, when technique became too complex on
the one side and when people who didn't know anything about engines could
drive, mechanics took over that part. A few years back everybody compiled
her own kernel, and today it is expected that the mechanics solve that
problem. And I fully agree with that.

> I asked already on this list, let me repeat my question:
> Which kernel RPM (without the <2.2.18 ptrace bug) is working with
> with distribution? Are the kernel depended packages (like
> freeswan) available? Usually it's nessasary to update them as
> well - at least when changing the kernel version.

There are multiple bugs in the kernel, and the ptrace bug is only one of

All kernels that can currently be found on* do fix the known security problems.
These kernels call themselves 2.2.18, but they are basically 2.2.19 with
only a few items missing (most important the version number change).

rpm -Uhv k_deflt.rpm

We are very close to the announcement.

> Steffen

- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N├╝rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -

< Previous Next >
Follow Ups