[gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[Tom Wijsman]

This is an automated email announcing the release of genpatches-3.8-7


CHANGES SINCE 3.8-6
-----------------------

Revision 2320: 
Linux patches 3.0.70, 3.2.41, 3.4.37 and 3.8.4. Removed 2300_fix-warm-port-reset.patch as it is part of the 3.2.41 patch. (tomwij)
Added: 1069_linux-3.0.70.patch
Added: 1040_linux-3.2.41.patch
Added: 1036_linux-3.4.37.patch
Added: 1003_linux-3.8.4.patch
Deleted: 2300_fix-warm-port-reset.patch

Revision 2324: 
3.8-7 release (tomwij)


PATCHES
-------

When the website updates, the complete patch list and split-out patches will be
available here:
http://dev.gentoo.org/~mpagano/genpatches/patches-3.8-7.htm
http://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-3.8-7.base.tar.bz2
http://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-3.8-7.extras.tar.bz2


ABOUT GENPATCHES
----------------

genpatches is the patchset applied to some kernels available in Portage.

For more information, see the genpatches homepage:
http://dev.gentoo.org/~mpagano/genpatches

For a simple example of how to use genpatches in your kernel ebuild, look at a
recent gentoo-sources ebuild.

Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[Eric F. GARIOUD]

On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote:

> Added: 1069_linux-3.0.70.patch
> Added: 1040_linux-3.2.41.patch
> Added: 1036_linux-3.4.37.patch
> Added: 1003_linux-3.8.4.patch

Should I understand from this that the gentoo-sources project gets no 
intention to port the security fixes back to the 3.7 and 3.6 branches ?

In case of a positive answer and in case I would port the security fixes back 
to the 3.6 branch myself, would you accept to package & distribute the result 
as genpatches ?

Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[Tom Wijsman]

[-- Attachment #1: Type: text/plain, Size: 2981 bytes --]

On Thu, 21 Mar 2013 12:43:29 +0100
"Eric F. GARIOUD" <eric-f.garioud@wanadoo.fr> wrote:

> On Thursday 21 March 2013 11:31:55 Tom Wijsman wrote:
> 
> > Added: 1069_linux-3.0.70.patch
> > Added: 1040_linux-3.2.41.patch
> > Added: 1036_linux-3.4.37.patch
> > Added: 1003_linux-3.8.4.patch
> 
> Should I understand from this that the gentoo-sources project gets no 
> intention to port the security fixes back to the 3.7 and 3.6
> branches ?

Above commit merely reflects the upstream version bumps, you will not
want to draw assumptions based on a single commit.

As to address your question, it doesn't come down to intention but
rather to manpower. There are way too much security bugs for ~2
kernel maintainers to handle [1] while we have to deal with normal
kernel bugs [2], kernel version bumps, relevant packages and more...

It doesn't just stop with the lack of manpower on the kernel team, the
stabilization team can't provide the effort to stabilize all security
fixes; I'm considering to join amd64 and x86, but that's not enough.

Therefore, we currently only deal with the security fixes which can
allow a normal user to gain root privileges in one or another way;
these are the most severe and special attention is given to those.

Then, the other thing to consider would indeed be intention; if we were
able to do this, we would combine them into revision bumps so there
isn't anything else than the lack of manpower in the way, afaik.

 [1]: List of kernel bugs assigned to security@gentoo.org.
 https://bugs.gentoo.org/buglist.cgi?quicksearch=Kernel%20assignee%3Asecurity%40gentoo.org

 [2]: List of kernel bugs not assigned to security@gentoo.org.
 https://bugs.gentoo.org/buglist.cgi?cmdtype=runnamed&namedcmd=Kernel&list_id=1621534

> In case of a positive answer and in case I would port the security
> fixes back to the 3.6 branch myself, would you accept to package &
> distribute the result as genpatches ?
> 

There are two approaches here (I assume you are not a Gentoo Dev):

1) You could opt to become a Gentoo Developer and join the kernel team;
we can mentor you, you then no longer need to await proxy-maint.

2) If possible by policy, we could ask for you to get explicit access
to genpatches such that you can add these patches and then when there
are a sufficient amount in a branch we can then release a new genpatches
for that branch.

A third approach would be sending patches, but that would introduce a
lot of unnecessary communication which burdens us both with extra work.

Please note that fixing these security bugs go further than just
maintaining EOL branches; the LTS branches also need to be checked,
it might not always guaranteed upstream ports back everything to that.


With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[Eric F. GARIOUD]

On Thursday 21 March 2013 13:22:35 Tom Wijsman wrote:

> As to address your question, it doesn't come down to intention but
> rather to manpower. 

I appreciate this.
However, when things go down to a problem of manpower, the very first 
initiative common sense commands is to avoid wasting it.
And the first way I know to avoid wasting manpower is :
- displaying intentions !

I have asked here, in 3.4.9 times, for the intentions of the gentoo-sources 
regarding the 3.4 LTS and was answered that it would not be followed.

Fair enough, because I wanted the ck-sources to follow it, we made the job of 
reviewing all upstream's patches from 3.4.9 up to 3.4.18 and from there up to 
3.4.23... and then discovered the gentoo-sources catching up from 3.4.9 to 
3.4.24.

Of course I do not blame anybody for this, after all, each to his own.
However, the result of this is that we (as GS+CK) have almost certainly 
achieved a great part of the dirty job twice !

Hence my first question regarding the gentoo-sources project's intentions 
regarding the 3.6 and 3.7 branches. 

Regards,

Eric

Re: [gentoo-kernel] [ANNOUNCE] genpatches-3.8-7 release

[Tom Wijsman]

[-- Attachment #1: Type: text/plain, Size: 2613 bytes --]

On Thu, 21 Mar 2013 14:36:11 +0100
"Eric F. GARIOUD" <eric-f.garioud@wanadoo.fr> wrote:

> On Thursday 21 March 2013 13:22:35 Tom Wijsman wrote:
> 
> > As to address your question, it doesn't come down to intention but
> > rather to manpower. 
> 
> I appreciate this.
> However, when things go down to a problem of manpower, the very first 
> initiative common sense commands is to avoid wasting it.
> And the first way I know to avoid wasting manpower is :
> - displaying intentions !
> 
> I have asked here, in 3.4.9 times, for the intentions of the
> gentoo-sources regarding the 3.4 LTS and was answered that it would
> not be followed.

Just like in last mail, I guess this was due to the lack of manpower;
now that I joined we have time to do the 3.x LTS branches (lately I
have been doing them all since I don't maintain that much packages
yet; maybe mpagano is taking a time off, not sure but he seems busy...).

> Fair enough, because I wanted the ck-sources to follow it, we made
> the job of reviewing all upstream's patches from 3.4.9 up to 3.4.18
> and from there up to 3.4.23... and then discovered the gentoo-sources
> catching up from 3.4.9 to 3.4.24.

Times have changed, bumps for everything in 3.x we are following. :)

> Of course I do not blame anybody for this, after all, each to his own.
> However, the result of this is that we (as GS+CK) have almost
> certainly achieved a great part of the dirty job twice !

Okay, I see where you are getting at; seems like this is also due to
the nature of the kernel being split over multiple packages instead of
using a single package with multiple USE flags. I've been wondering if
there would be a benefit changing this model to ensure there is no lost
manpower (regardless of the actual patches, we're also duplicating the
kernel bumps / stabilization / ... as well).

> Hence my first question regarding the gentoo-sources project's
> intentions regarding the 3.6 and 3.7 branches. 

We won't touch them apart from important bug fixes and root privilege
escalation security issues; but if you are willing to fix all the
security bugs, we could make them available in genpatches to benefit
everyone. Combining multiple security bug fixes together in each
genpatch release then could make it accessible in revision bumps
across all sources in and out of the tree.

> Regards,
> 
> Eric
> 


With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]