public inbox for gentoo-kernel@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
@ 2013-06-21 14:58 Greg KH
  2013-06-21 15:30 ` Mike Pagano
  2013-06-22  0:02 ` Tom Wijsman
  0 siblings, 2 replies; 35+ messages in thread
From: Greg KH @ 2013-06-21 14:58 UTC (permalink / raw
  To: gentoo-kernel

Hi all,

I bumped the vanilla-kernel sources yesterday, and deleted some
obsolete, and known-insecure versions at the same time (i.e. the 3.7 and
3.8 ebuilds.)  They were added back because they were the last releases
marked "stable" for some arches.

In thinking about this, that's totally wrong.  Either all of these
ebuilds are marked stable, or none are.  And we should really NEVER have
known buggy ebuilds marked stable for the vanilla kernels, as that's
just dangerous on many different levels.

So, should I just mark these always stable, or never stable?  I don't
think we should mix the two, as the previous versions are always known
buggy, and have problems, and shouldn't be used.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 14:58 [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions Greg KH
@ 2013-06-21 15:30 ` Mike Pagano
  2013-06-21 15:46   ` Anthony G. Basile
                     ` (2 more replies)
  2013-06-22  0:02 ` Tom Wijsman
  1 sibling, 3 replies; 35+ messages in thread
From: Mike Pagano @ 2013-06-21 15:30 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 07:58:01AM -0700, Greg KH wrote:
> Hi all,
> 
> I bumped the vanilla-kernel sources yesterday, and deleted some
> obsolete, and known-insecure versions at the same time (i.e. the 3.7 and
> 3.8 ebuilds.)  They were added back because they were the last releases
> marked "stable" for some arches.
> 
> In thinking about this, that's totally wrong.  Either all of these
> ebuilds are marked stable, or none are.  And we should really NEVER have
> known buggy ebuilds marked stable for the vanilla kernels, as that's
> just dangerous on many different levels.
> 
> So, should I just mark these always stable, or never stable?  I don't
> think we should mix the two, as the previous versions are always known
> buggy, and have problems, and shouldn't be used.
> 
> thanks,
> 
> greg k-h
> 


Hi, Greg,

We hammered out a policy sometime in the past that if you add a new
version for the reasons you did and remove the stable ones (that have
security issues) you can do an auto stable.

I have not gone through the commit log to see what happened but here is
an easy example.

You know the stable version 3.8.4 has a sec bug.
You have a minor point release that fixes this.

You remove 3.8.4, add 3.8.5 and auto stable for any arch that had a
stable keyword for 3.8.4.

This should be written down and if it's not that's probably on me as I
am the only kernel person (i think) that was involved in the decision
and is still around.

Mike

P.S. if 3.8.4 is bad, and we have to go to 3.9 we ask for a quick
"emergency" stabilization effort by the arch teams.

Let me know if that is clear as mud.

-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 15:30 ` Mike Pagano
@ 2013-06-21 15:46   ` Anthony G. Basile
  2013-06-21 16:49     ` Greg KH
  2013-06-21 16:48   ` Greg KH
  2013-06-22  0:23   ` Tom Wijsman
  2 siblings, 1 reply; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-21 15:46 UTC (permalink / raw
  To: gentoo-kernel

On 06/21/2013 11:30 AM, Mike Pagano wrote:
> This should be written down and if it's not that's probably on me as I
> am the only kernel person (i think) that was involved in the decision
> and is still around.

Nope, I was there.  It was the IA32 on amd64 syscall local root exploit 
that got us "blogged" about ... remember that :)

Anyhow, no brainer here.  The kernel is not like the other software we 
stabilize.  Somewhere in its configuration space and in the hardware 
space in which it will be run, there are bugs.  Minor version bumps to 
address security issues followed by auto stabilization are the correct 
thing to do.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 15:30 ` Mike Pagano
  2013-06-21 15:46   ` Anthony G. Basile
@ 2013-06-21 16:48   ` Greg KH
  2013-06-21 17:20     ` Eric F. GARIOUD
  2013-06-21 19:36     ` Mike Pagano
  2013-06-22  0:23   ` Tom Wijsman
  2 siblings, 2 replies; 35+ messages in thread
From: Greg KH @ 2013-06-21 16:48 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 11:30:56AM -0400, Mike Pagano wrote:
> On Fri, Jun 21, 2013 at 07:58:01AM -0700, Greg KH wrote:
> > Hi all,
> > 
> > I bumped the vanilla-kernel sources yesterday, and deleted some
> > obsolete, and known-insecure versions at the same time (i.e. the 3.7 and
> > 3.8 ebuilds.)  They were added back because they were the last releases
> > marked "stable" for some arches.
> > 
> > In thinking about this, that's totally wrong.  Either all of these
> > ebuilds are marked stable, or none are.  And we should really NEVER have
> > known buggy ebuilds marked stable for the vanilla kernels, as that's
> > just dangerous on many different levels.
> > 
> > So, should I just mark these always stable, or never stable?  I don't
> > think we should mix the two, as the previous versions are always known
> > buggy, and have problems, and shouldn't be used.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> 
> Hi, Greg,
> 
> We hammered out a policy sometime in the past that if you add a new
> version for the reasons you did and remove the stable ones (that have
> security issues) you can do an auto stable.

Where was that hammered out?  On this list?

> I have not gone through the commit log to see what happened but here is
> an easy example.
> 
> You know the stable version 3.8.4 has a sec bug.
> You have a minor point release that fixes this.
> 
> You remove 3.8.4, add 3.8.5 and auto stable for any arch that had a
> stable keyword for 3.8.4.
> 
> This should be written down and if it's not that's probably on me as I
> am the only kernel person (i think) that was involved in the decision
> and is still around.

But every single stable kernel release I make fixes bugs that some might
consider "security" issues.  So that means that every single stable
release should be marked stable, right?

We should _never_ have an end-of-life kernel marked stable, that's just
asking for trouble.

> P.S. if 3.8.4 is bad, and we have to go to 3.9 we ask for a quick
> "emergency" stabilization effort by the arch teams.
> 
> Let me know if that is clear as mud.

It's clear, but I feel incorrect :)

As we can't do anything to these releases to fix problems or "make them
more stable", they should either always be unstable, or always be
stable, there is no difference.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 15:46   ` Anthony G. Basile
@ 2013-06-21 16:49     ` Greg KH
  0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-21 16:49 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 11:46:32AM -0400, Anthony G. Basile wrote:
> On 06/21/2013 11:30 AM, Mike Pagano wrote:
> >This should be written down and if it's not that's probably on me as I
> >am the only kernel person (i think) that was involved in the decision
> >and is still around.
> 
> Nope, I was there.  It was the IA32 on amd64 syscall local root
> exploit that got us "blogged" about ... remember that :)
> 
> Anyhow, no brainer here.  The kernel is not like the other software
> we stabilize.  Somewhere in its configuration space and in the
> hardware space in which it will be run, there are bugs.  Minor
> version bumps to address security issues followed by auto
> stabilization are the correct thing to do.

So that means every single stable release should be marked stable then,
right?

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 16:48   ` Greg KH
@ 2013-06-21 17:20     ` Eric F. GARIOUD
  2013-06-21 17:50       ` Greg KH
  2013-06-21 19:36     ` Mike Pagano
  1 sibling, 1 reply; 35+ messages in thread
From: Eric F. GARIOUD @ 2013-06-21 17:20 UTC (permalink / raw
  To: gentoo-kernel

On Friday 21 June 2013 18:48:41 Greg KH wrote:

> We should _never_ have an end-of-life kernel marked stable, that's just
> asking for trouble.

What about keeping the stable mark and add a package mask?


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 17:20     ` Eric F. GARIOUD
@ 2013-06-21 17:50       ` Greg KH
  2013-06-21 19:51         ` Eric F. GARIOUD
  0 siblings, 1 reply; 35+ messages in thread
From: Greg KH @ 2013-06-21 17:50 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 07:20:23PM +0200, Eric F. GARIOUD wrote:
> On Friday 21 June 2013 18:48:41 Greg KH wrote:
> 
> > We should _never_ have an end-of-life kernel marked stable, that's just
> > asking for trouble.
> 
> What about keeping the stable mark and add a package mask?

And when does that mask get changed?

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 16:48   ` Greg KH
  2013-06-21 17:20     ` Eric F. GARIOUD
@ 2013-06-21 19:36     ` Mike Pagano
  2013-06-21 21:06       ` Greg KH
  1 sibling, 1 reply; 35+ messages in thread
From: Mike Pagano @ 2013-06-21 19:36 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 09:48:41AM -0700, Greg KH wrote:
> On Fri, Jun 21, 2013 at 11:30:56AM -0400, Mike Pagano wrote:
> > On Fri, Jun 21, 2013 at 07:58:01AM -0700, Greg KH wrote:
> > > Hi all,
> > > 
> > > I bumped the vanilla-kernel sources yesterday, and deleted some
> > > obsolete, and known-insecure versions at the same time (i.e. the 3.7 and
> > > 3.8 ebuilds.)  They were added back because they were the last releases
> > > marked "stable" for some arches.
> > > 
> > > In thinking about this, that's totally wrong.  Either all of these
> > > ebuilds are marked stable, or none are.  And we should really NEVER have
> > > known buggy ebuilds marked stable for the vanilla kernels, as that's
> > > just dangerous on many different levels.
> > > 
> > > So, should I just mark these always stable, or never stable?  I don't
> > > think we should mix the two, as the previous versions are always known
> > > buggy, and have problems, and shouldn't be used.
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > 
> > 
> > Hi, Greg,
> > 
> > We hammered out a policy sometime in the past that if you add a new
> > version for the reasons you did and remove the stable ones (that have
> > security issues) you can do an auto stable.
> 
> Where was that hammered out?  On this list?

In bugzilla, and I will locate the bug after I get home from work or
tomorrow.
> 
> > I have not gone through the commit log to see what happened but here is
> > an easy example.
> > 
> > You know the stable version 3.8.4 has a sec bug.
> > You have a minor point release that fixes this.
> > 
> > You remove 3.8.4, add 3.8.5 and auto stable for any arch that had a
> > stable keyword for 3.8.4.
> > 
> > This should be written down and if it's not that's probably on me as I
> > am the only kernel person (i think) that was involved in the decision
> > and is still around.
> 
> But every single stable kernel release I make fixes bugs that some might
> consider "security" issues.  So that means that every single stable
> release should be marked stable, right?

This policy was put in place for the really "serious" security issues.
It was expected that the person from the kernel team can make the call
on whether auto stablizing is the way to go for a particular
vulnerability.  We were trying to make us more agile when responding to
serious root exploits and not look like the distro that is not on top of
these things.

> 
> We should _never_ have an end-of-life kernel marked stable, that's just
> asking for trouble.


> > P.S. if 3.8.4 is bad, and we have to go to 3.9 we ask for a quick
> > "emergency" stabilization effort by the arch teams.
> > 
> > Let me know if that is clear as mud.
> 
> It's clear, but I feel incorrect :)
> 
> As we can't do anything to these releases to fix problems or "make them
> more stable", they should either always be unstable, or always be
> stable, there is no difference.

I am not against either.  And I think this is the way to go.  (always
unstable).

Let the user know that we always provide the latest kernel we can and
they need to always upgrade as you always suggest during upstream
releases.

Users have a certain level of expectation and since no kernel version 
can be considered vulnerability free for long maybe we do them a 
disservice by giving them a false impression that a kernel version is safe and stable.

I would ask others's on the team (or not on the team) to consider this idea.

At some point we can pull straws and bring this to -dev.

> 
> thanks,
> 
> greg k-h
> 


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 17:50       ` Greg KH
@ 2013-06-21 19:51         ` Eric F. GARIOUD
  2013-06-21 21:03           ` Greg KH
  0 siblings, 1 reply; 35+ messages in thread
From: Eric F. GARIOUD @ 2013-06-21 19:51 UTC (permalink / raw
  To: gentoo-kernel

On Friday 21 June 2013 19:50:54 Greg KH wrote:
> On Fri, Jun 21, 2013 at 07:20:23PM +0200, Eric F. GARIOUD wrote:
> > On Friday 21 June 2013 18:48:41 Greg KH wrote:
> > > We should _never_ have an end-of-life kernel marked stable, that's just
> > > asking for trouble.
> > 
> > What about keeping the stable mark and add a package mask?
> 
> And when does that mask get changed?

Never!
The next step being to drop the ebuild.

After all, that is what is currently being done with, as an example,  
avidemux-2.5.6-r2


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 19:51         ` Eric F. GARIOUD
@ 2013-06-21 21:03           ` Greg KH
  0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-21 21:03 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 09:51:53PM +0200, Eric F. GARIOUD wrote:
> On Friday 21 June 2013 19:50:54 Greg KH wrote:
> > On Fri, Jun 21, 2013 at 07:20:23PM +0200, Eric F. GARIOUD wrote:
> > > On Friday 21 June 2013 18:48:41 Greg KH wrote:
> > > > We should _never_ have an end-of-life kernel marked stable, that's just
> > > > asking for trouble.
> > > 
> > > What about keeping the stable mark and add a package mask?
> > 
> > And when does that mask get changed?
> 
> Never!
> The next step being to drop the ebuild.
> 
> After all, that is what is currently being done with, as an example,  
> avidemux-2.5.6-r2

I'm confused, exactly what are you proposing?

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 19:36     ` Mike Pagano
@ 2013-06-21 21:06       ` Greg KH
  0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-21 21:06 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 03:36:12PM -0400, Mike Pagano wrote:
> > > This should be written down and if it's not that's probably on me as I
> > > am the only kernel person (i think) that was involved in the decision
> > > and is still around.
> > 
> > But every single stable kernel release I make fixes bugs that some might
> > consider "security" issues.  So that means that every single stable
> > release should be marked stable, right?
> 
> This policy was put in place for the really "serious" security issues.

Who is making the judgement call about "serious"?  And how do you know
that problems aren't being fixed that aren't "serious"?

> It was expected that the person from the kernel team can make the call
> on whether auto stablizing is the way to go for a particular
> vulnerability.

Trying to track vunerabilities across kernel versions is going to be
hard, especially for ones that are not public yet :)

> We were trying to make us more agile when responding to serious root
> exploits and not look like the distro that is not on top of these
> things.

I understand, and I think the work done on the "normal" kernel ebuilds
are great this way.  This is just for the vanilla kernels, they should
track the upstream releases directly, no need for any Gentoo developer
to make a judgement call on when something is "stable" or not, as again,
there's nothing they can do about it.

> > As we can't do anything to these releases to fix problems or "make them
> > more stable", they should either always be unstable, or always be
> > stable, there is no difference.
> 
> I am not against either.  And I think this is the way to go.  (always
> unstable).
> 
> Let the user know that we always provide the latest kernel we can and
> they need to always upgrade as you always suggest during upstream
> releases.

Great.

> Users have a certain level of expectation and since no kernel version
> can be considered vulnerability free for long maybe we do them a
> disservice by giving them a false impression that a kernel version is
> safe and stable.

I totally agree.

> I would ask others's on the team (or not on the team) to consider this idea.
> 
> At some point we can pull straws and bring this to -dev.

I can do this if no one else wants to, as I know a bit about how
upstream works in this area :)

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 14:58 [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions Greg KH
  2013-06-21 15:30 ` Mike Pagano
@ 2013-06-22  0:02 ` Tom Wijsman
  2013-06-22  0:12   ` Greg KH
  2013-06-22  0:13   ` Greg KH
  1 sibling, 2 replies; 35+ messages in thread
From: Tom Wijsman @ 2013-06-22  0:02 UTC (permalink / raw
  To: gentoo-kernel; +Cc: ago

[-- Attachment #1: Type: text/plain, Size: 2139 bytes --]

On Fri, 21 Jun 2013 07:58:01 -0700
Greg KH <gregkh@gentoo.org> wrote:

> I bumped the vanilla-kernel sources yesterday, and deleted some
> obsolete, and known-insecure versions at the same time (i.e. the 3.7
> and 3.8 ebuilds.)

Thank you for keeping an eye on them; I got into a habit of only
bumping gentoo-sources, so I don't always remind the to do vanilla,
I'll do my best to add it to the habbit in the future.

> They were added back because they were the last releases marked
> "stable" for some arches.

Yes, this is actively being checked to avoid that there is no stable
kernel present; if you don't want that to happen then you should make
an individual arrangement with the arch teams, such that they are aware
that the stabilization of this package is individually arranged.

Since ago does stabilizations for multiple arches, is involved in
security bugs and did the restore on this particular package; I have
added him to CC so he is aware of this discussion going on.

http://thread.gmane.org/gmane.linux.gentoo.kernel/697

> In thinking about this, that's totally wrong.  Either all of these
> ebuilds are marked stable, or none are.  And we should really NEVER
> have known buggy ebuilds marked stable for the vanilla kernels, as
> that's just dangerous on many different levels.
> 
> So, should I just mark these always stable, or never stable?  I don't
> think we should mix the two, as the previous versions are always known
> buggy, and have problems, and shouldn't be used.

I think it may be a nice idea to have vanilla-sources reflect upstream;
that is, always stable and drop versions which are not.

If possible we could script it to keep the package unstable the first X
days it is in Portage to keep the stabilization effect in place; that
way Gentoo users are unaffected if something goes wrong the day after
you push a patch, I assume not, but you never know.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  0:02 ` Tom Wijsman
@ 2013-06-22  0:12   ` Greg KH
  2013-06-22  0:13   ` Greg KH
  1 sibling, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-22  0:12 UTC (permalink / raw
  To: gentoo-kernel; +Cc: ago

On Sat, Jun 22, 2013 at 02:02:59AM +0200, Tom Wijsman wrote:
> On Fri, 21 Jun 2013 07:58:01 -0700
> Greg KH <gregkh@gentoo.org> wrote:
> 
> > I bumped the vanilla-kernel sources yesterday, and deleted some
> > obsolete, and known-insecure versions at the same time (i.e. the 3.7
> > and 3.8 ebuilds.)
> 
> Thank you for keeping an eye on them; I got into a habit of only
> bumping gentoo-sources, so I don't always remind the to do vanilla,
> I'll do my best to add it to the habbit in the future.
> 
> > They were added back because they were the last releases marked
> > "stable" for some arches.
> 
> Yes, this is actively being checked to avoid that there is no stable
> kernel present; if you don't want that to happen then you should make
> an individual arrangement with the arch teams, such that they are aware
> that the stabilization of this package is individually arranged.
> 
> Since ago does stabilizations for multiple arches, is involved in
> security bugs and did the restore on this particular package; I have
> added him to CC so he is aware of this discussion going on.
> 
> http://thread.gmane.org/gmane.linux.gentoo.kernel/697
> 
> > In thinking about this, that's totally wrong.  Either all of these
> > ebuilds are marked stable, or none are.  And we should really NEVER
> > have known buggy ebuilds marked stable for the vanilla kernels, as
> > that's just dangerous on many different levels.
> > 
> > So, should I just mark these always stable, or never stable?  I don't
> > think we should mix the two, as the previous versions are always known
> > buggy, and have problems, and shouldn't be used.
> 
> I think it may be a nice idea to have vanilla-sources reflect upstream;
> that is, always stable and drop versions which are not.

Great!  But as only the latest version released is "stable", that's all
that should stick around, right?

> If possible we could script it to keep the package unstable the first X
> days it is in Portage to keep the stabilization effect in place; that
> way Gentoo users are unaffected if something goes wrong the day after
> you push a patch, I assume not, but you never know.

If something goes "wrong" the day after I push a update, I push a new
one fixing the problem, so this shouldn't be an issue, right?

And as these are coming out about 1-2 a week, the timeout before the
arch teams could get around to marking things stable seems like a lot of
work, for something that isn't really needed at all.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  0:02 ` Tom Wijsman
  2013-06-22  0:12   ` Greg KH
@ 2013-06-22  0:13   ` Greg KH
  2013-06-22  0:45     ` Tom Wijsman
  1 sibling, 1 reply; 35+ messages in thread
From: Greg KH @ 2013-06-22  0:13 UTC (permalink / raw
  To: gentoo-kernel; +Cc: ago

On Sat, Jun 22, 2013 at 02:02:59AM +0200, Tom Wijsman wrote:
> On Fri, 21 Jun 2013 07:58:01 -0700
> Greg KH <gregkh@gentoo.org> wrote:
> 
> > I bumped the vanilla-kernel sources yesterday, and deleted some
> > obsolete, and known-insecure versions at the same time (i.e. the 3.7
> > and 3.8 ebuilds.)
> 
> Thank you for keeping an eye on them; I got into a habit of only
> bumping gentoo-sources, so I don't always remind the to do vanilla,
> I'll do my best to add it to the habbit in the future.
> 
> > They were added back because they were the last releases marked
> > "stable" for some arches.
> 
> Yes, this is actively being checked to avoid that there is no stable
> kernel present; if you don't want that to happen then you should make
> an individual arrangement with the arch teams, such that they are aware
> that the stabilization of this package is individually arranged.
> 
> Since ago does stabilizations for multiple arches, is involved in
> security bugs and did the restore on this particular package; I have
> added him to CC so he is aware of this discussion going on.
> 
> http://thread.gmane.org/gmane.linux.gentoo.kernel/697
> 
> > In thinking about this, that's totally wrong.  Either all of these
> > ebuilds are marked stable, or none are.  And we should really NEVER
> > have known buggy ebuilds marked stable for the vanilla kernels, as
> > that's just dangerous on many different levels.
> > 
> > So, should I just mark these always stable, or never stable?  I don't
> > think we should mix the two, as the previous versions are always known
> > buggy, and have problems, and shouldn't be used.
> 
> I think it may be a nice idea to have vanilla-sources reflect upstream;
> that is, always stable and drop versions which are not.

Great!  But as only the latest version released is "stable", that's all
that should stick around, right?

> If possible we could script it to keep the package unstable the first X
> days it is in Portage to keep the stabilization effect in place; that
> way Gentoo users are unaffected if something goes wrong the day after
> you push a patch, I assume not, but you never know.

If something goes "wrong" the day after I push a update, I push a new
one fixing the problem, so this shouldn't be an issue, right?

And as these are coming out about 1-2 a week, the timeout before the
arch teams could get around to marking things stable seems like a lot of
work, for something that isn't really needed at all.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-21 15:30 ` Mike Pagano
  2013-06-21 15:46   ` Anthony G. Basile
  2013-06-21 16:48   ` Greg KH
@ 2013-06-22  0:23   ` Tom Wijsman
  2 siblings, 0 replies; 35+ messages in thread
From: Tom Wijsman @ 2013-06-22  0:23 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 1428 bytes --]

On Fri, 21 Jun 2013 11:30:56 -0400
Mike Pagano <mpagano@gentoo.org> wrote:

> We hammered out a policy sometime in the past that if you add a new
> version for the reasons you did and remove the stable ones (that have
> security issues) you can do an auto stable.
> 
> I have not gone through the commit log to see what happened but here
> is an easy example.
> 
> You know the stable version 3.8.4 has a sec bug.
> You have a minor point release that fixes this.
> 
> You remove 3.8.4, add 3.8.5 and auto stable for any arch that had a
> stable keyword for 3.8.4.

I know this thread is about vanilla-sources. But in the context of
gentoo-sources this would mean we could do a revision bump with
the security patch and auto stable it? That makes a lot of sense.

Haven't thought about that, I'm going to do that right now to cover the
minor arches that do not have a newer major release stabilized yet.

> This should be written down and if it's not that's probably on me as I
> am the only kernel person (i think) that was involved in the decision
> and is still around.

Yes, I was unaware of this approach, discussion and decision; I'm not
sure if any other kernel person is still active.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  0:13   ` Greg KH
@ 2013-06-22  0:45     ` Tom Wijsman
  2013-06-22  1:54       ` Anthony G. Basile
  2013-06-22  3:42       ` Greg KH
  0 siblings, 2 replies; 35+ messages in thread
From: Tom Wijsman @ 2013-06-22  0:45 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 3076 bytes --]

On Fri, 21 Jun 2013 17:13:03 -0700
Greg KH <gregkh@gentoo.org> wrote:

> Great!  But as only the latest version released is "stable", that's
> all that should stick around, right?

Tricky decision to make. Do we really want to force people's kernel
sources to unmerge every single time you push a new version? Which on
its own turn, forces them to build and install the new kernel.

> > If possible we could script it to keep the package unstable the
> > first X days it is in Portage to keep the stabilization effect in
> > place; that way Gentoo users are unaffected if something goes wrong
> > the day after you push a patch, I assume not, but you never know.
> 
> If something goes "wrong" the day after I push a update, I push a new
> one fixing the problem, so this shouldn't be an issue, right?

It's not so much about fixing the problem, but rather about the
severity of the issue. If this involves a corruption that corrupts a
large amount of data on well known hardware which the patches were not
tested on, users with such hardware would be affected; if we however
delay our Gentoo users, they wouldn't become affected due to an
upstream problem, unless they intentionally use the  ~  keyword

> And as these are coming out about 1-2 a week, the timeout before the
> arch teams could get around to marking things stable seems like a lot
> of work, for something that isn't really needed at all.

What I meant was to not involve arch teams at all, as per the original
proposal but just have a cron job running somewhere to stabilize the
new versions, as well as to drop older versions.

The delayed stabilization and delayed dropping from the tree are merely
ideas that I think are in favor of the users; I may be wrong about this
but would like to at least see this discussed, unless everyone agrees
we should completely reflect the current state as listed on kernel.org.

As you probably know, there are different groups of users where some
run personal laptops or desktops whereas other run a (professional)
server. I think an approach that what would make sense for people
running a secure and stable server might not necessarily make sense for
people running their own laptop or desktop. Not all exploits target
both servers and desktops (eg. they can't get behind router).

On the other hand, the vanilla-sources ebuilds set
K_SECURITY_UNSUPPORTED="1"; so perhaps we're not even aiming for the
(professional) server people at all and therefore perhaps only the
laptop and desktop users. Or at least, that's how Gentoo Security and
that variable would make it look like; I agree though that it is
inconsistent with how upstream would look at these versions, I
therofore think it should be a good idea to reevaluate said variable if
we are going to change the way we stabilize and drop vanilla-sources.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  0:45     ` Tom Wijsman
@ 2013-06-22  1:54       ` Anthony G. Basile
  2013-06-22  3:47         ` Greg KH
  2013-06-22  3:42       ` Greg KH
  1 sibling, 1 reply; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-22  1:54 UTC (permalink / raw
  To: gentoo-kernel

The bug where this was discussed is

https://bugs.gentoo.org/show_bug.cgi?id=338739

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  0:45     ` Tom Wijsman
  2013-06-22  1:54       ` Anthony G. Basile
@ 2013-06-22  3:42       ` Greg KH
  2013-06-22  6:45         ` Tom Wijsman
  1 sibling, 1 reply; 35+ messages in thread
From: Greg KH @ 2013-06-22  3:42 UTC (permalink / raw
  To: gentoo-kernel

On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
> On Fri, 21 Jun 2013 17:13:03 -0700
> Greg KH <gregkh@gentoo.org> wrote:
> 
> > Great!  But as only the latest version released is "stable", that's
> > all that should stick around, right?
> 
> Tricky decision to make. Do we really want to force people's kernel
> sources to unmerge every single time you push a new version? Which on
> its own turn, forces them to build and install the new kernel.

If they are following the vanilla kernels, isn't that what people
expect?  The latest stable-kernel-of-the-week, as that's what I'm
releasing.  They don't have to do an update if they don't want to :)

> > > If possible we could script it to keep the package unstable the
> > > first X days it is in Portage to keep the stabilization effect in
> > > place; that way Gentoo users are unaffected if something goes wrong
> > > the day after you push a patch, I assume not, but you never know.
> > 
> > If something goes "wrong" the day after I push a update, I push a new
> > one fixing the problem, so this shouldn't be an issue, right?
> 
> It's not so much about fixing the problem, but rather about the
> severity of the issue. If this involves a corruption that corrupts a
> large amount of data on well known hardware which the patches were not
> tested on, users with such hardware would be affected; if we however
> delay our Gentoo users, they wouldn't become affected due to an
> upstream problem, unless they intentionally use the  ~  keyword

And how would you find out about these types of issues, unless they get
tested on those systems?  It's a chicken-and-egg issue.  People who want
more "stable" releases, follow the gentoo kernels.  If you want to track
upstream directly, use the vanilla kernels, that's what they are there
for.

> > And as these are coming out about 1-2 a week, the timeout before the
> > arch teams could get around to marking things stable seems like a lot
> > of work, for something that isn't really needed at all.
> 
> What I meant was to not involve arch teams at all, as per the original
> proposal but just have a cron job running somewhere to stabilize the
> new versions, as well as to drop older versions.

A cron job doesn't mean anything (how to stop it?), so you might as well
just always either mark them stable or not, as no one is testing them
for "stability".

> The delayed stabilization and delayed dropping from the tree are merely
> ideas that I think are in favor of the users; I may be wrong about this
> but would like to at least see this discussed, unless everyone agrees
> we should completely reflect the current state as listed on kernel.org.
> 
> As you probably know, there are different groups of users where some
> run personal laptops or desktops whereas other run a (professional)
> server. I think an approach that what would make sense for people
> running a secure and stable server might not necessarily make sense for
> people running their own laptop or desktop. Not all exploits target
> both servers and desktops (eg. they can't get behind router).

I agree, that's why we have so many different kernel packages.

> On the other hand, the vanilla-sources ebuilds set
> K_SECURITY_UNSUPPORTED="1"; so perhaps we're not even aiming for the
> (professional) server people at all and therefore perhaps only the
> laptop and desktop users. Or at least, that's how Gentoo Security and
> that variable would make it look like; I agree though that it is
> inconsistent with how upstream would look at these versions, I
> therofore think it should be a good idea to reevaluate said variable if
> we are going to change the way we stabilize and drop vanilla-sources.

I'll leave that alone, as I don't know what that flag means or does,
sorry.

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  1:54       ` Anthony G. Basile
@ 2013-06-22  3:47         ` Greg KH
  2013-06-22  8:56           ` Anthony G. Basile
  0 siblings, 1 reply; 35+ messages in thread
From: Greg KH @ 2013-06-22  3:47 UTC (permalink / raw
  To: gentoo-kernel

On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote:
> The bug where this was discussed is
> 
> https://bugs.gentoo.org/show_bug.cgi?id=338739

Thanks for the link, unfortunatly, things have changed since then, with
stable kernel releases happening much more frequently now (instead of
about ever 2-3 weeks, it's now, 1-2 releases a week.

So the chance for an arch team to mark anything is going to be tough.

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  3:42       ` Greg KH
@ 2013-06-22  6:45         ` Tom Wijsman
  2013-06-24 16:27           ` Greg KH
  0 siblings, 1 reply; 35+ messages in thread
From: Tom Wijsman @ 2013-06-22  6:45 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 5093 bytes --]

On Fri, 21 Jun 2013 20:42:44 -0700
Greg KH <greg@kroah.com> wrote:

> On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
> > On Fri, 21 Jun 2013 17:13:03 -0700
> > Greg KH <gregkh@gentoo.org> wrote:
> > 
> > > Great!  But as only the latest version released is "stable",
> > > that's all that should stick around, right?
> > 
> > Tricky decision to make. Do we really want to force people's kernel
> > sources to unmerge every single time you push a new version? Which
> > on its own turn, forces them to build and install the new kernel.
> 
> If they are following the vanilla kernels, isn't that what people
> expect?  The latest stable-kernel-of-the-week, as that's what I'm
> releasing.  They don't have to do an update if they don't want to :)

If we don't keep around other ebuilds their sources will unexpectedly
unmerge upon a dependency clean; they can only stop it if they see it
in the list of packages that will be unmerged, and do something to
specifically keep them.

Feel free to experiment with this happening in your Portage tree.
 
> > > > If possible we could script it to keep the package unstable the
> > > > first X days it is in Portage to keep the stabilization effect
> > > > in place; that way Gentoo users are unaffected if something
> > > > goes wrong the day after you push a patch, I assume not, but
> > > > you never know.
> > > 
> > > If something goes "wrong" the day after I push a update, I push a
> > > new one fixing the problem, so this shouldn't be an issue, right?
> > 
> > It's not so much about fixing the problem, but rather about the
> > severity of the issue. If this involves a corruption that corrupts a
> > large amount of data on well known hardware which the patches were
> > not tested on, users with such hardware would be affected; if we
> > however delay our Gentoo users, they wouldn't become affected due
> > to an upstream problem, unless they intentionally use the  ~
> > keyword
> 
> And how would you find out about these types of issues, unless they
> get tested on those systems?  It's a chicken-and-egg issue.  People
> who want more "stable" releases, follow the gentoo kernels.  If you
> want to track upstream directly, use the vanilla kernels, that's what
> they are there for.

Okay, I was just thinking through the possible scenarios of going with
this approach; if nobody else reasonably objects we can do that.

> > > And as these are coming out about 1-2 a week, the timeout before
> > > the arch teams could get around to marking things stable seems
> > > like a lot of work, for something that isn't really needed at all.
> > 
> > What I meant was to not involve arch teams at all, as per the
> > original proposal but just have a cron job running somewhere to
> > stabilize the new versions, as well as to drop older versions.
> 
> A cron job doesn't mean anything (how to stop it?), so you might as
> well just always either mark them stable or not, as no one is testing
> them for "stability".

The cron job should not apply if the version is masked, had its
keywords removed or the ebuild itself removed; this should be trivial
to figure out through the Portage API.

We do have people testing them for stability, as some people run a
system with stable keywords whereas other people wan't to be more risky
and use the unstable / testing / ...  ~  keyword.

> > On the other hand, the vanilla-sources ebuilds set
> > K_SECURITY_UNSUPPORTED="1"; so perhaps we're not even aiming for the
> > (professional) server people at all and therefore perhaps only the
> > laptop and desktop users. Or at least, that's how Gentoo Security
> > and that variable would make it look like; I agree though that it is
> > inconsistent with how upstream would look at these versions, I
> > therofore think it should be a good idea to reevaluate said
> > variable if we are going to change the way we stabilize and drop
> > vanilla-sources.
> 
> I'll leave that alone, as I don't know what that flag means or does,
> sorry.

It prints out the following message, which becomes less the case if we
stabilize it more; as you said, the kernel is more often released these
days and therefore recent security issues are much faster dealt with.


${PN} is UNSUPPORTED by Gentoo Security.
This means that it is likely to be vulnerable to recent security issues.
For specific information on why this kernel is unsupported, please read:
http://www.gentoo.org/proj/en/security/kernel.xml


PS: On a perhaps irrelevant side note, what I find interesting in the
above URL is that it lists vanilla-sources as containing rc entries
(which would be marked with the  ~  keyword) and git-sources as
containing daily snapshots; it appears that the rc entries have moved
to git-sources and that git-sources no longer does daily snapshots.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  3:47         ` Greg KH
@ 2013-06-22  8:56           ` Anthony G. Basile
  2013-06-22 14:43             ` Greg KH
  0 siblings, 1 reply; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-22  8:56 UTC (permalink / raw
  To: gentoo-kernel

On 06/21/2013 11:47 PM, Greg KH wrote:
> On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote:
>> The bug where this was discussed is
>>
>> https://bugs.gentoo.org/show_bug.cgi?id=338739
>
> Thanks for the link, unfortunatly, things have changed since then, with
> stable kernel releases happening much more frequently now (instead of
> about ever 2-3 weeks, it's now, 1-2 releases a week.
>
> So the chance for an arch team to mark anything is going to be tough.
>
> greg k-h
>

I've been following, but I can't say I've been following closely.  I'm 
on the stable{,-commits}@vger list and the rate at which this stuff is 
coming is too fast for human consumption.

We could just drop stabilization of vanilla-sources and have people 
follow ~arch.  That might be closer to the meaning of ~testing vs stable 
in other packages: other upstreams push out releases they consider 
stable, but we don't consider them stable within Gentoo until our QA 
team tests.

Another reason for dropping all vanilla-sources to ~arch is that we have 
some Gentoo specific needs that upstream will not and should not accept, 
eg we are making greater use of extended attributes in our package 
management, so we need end-to-end copying of xattrs.  This means 
preserving certain namespaces (beyond security.* and trusted.*) on tmpfs 
for emerge.  Gentoo users that use vanilla-sources will loose those 
xattr values making vanilla-sources ~ with respect to the rest of Gentoo.


-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  8:56           ` Anthony G. Basile
@ 2013-06-22 14:43             ` Greg KH
  2013-06-22 16:46               ` Anthony G. Basile
  0 siblings, 1 reply; 35+ messages in thread
From: Greg KH @ 2013-06-22 14:43 UTC (permalink / raw
  To: gentoo-kernel

On Sat, Jun 22, 2013 at 04:56:39AM -0400, Anthony G. Basile wrote:
> On 06/21/2013 11:47 PM, Greg KH wrote:
> >On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote:
> >>The bug where this was discussed is
> >>
> >>https://bugs.gentoo.org/show_bug.cgi?id=338739
> >
> >Thanks for the link, unfortunatly, things have changed since then, with
> >stable kernel releases happening much more frequently now (instead of
> >about ever 2-3 weeks, it's now, 1-2 releases a week.
> >
> >So the chance for an arch team to mark anything is going to be tough.
> >
> >greg k-h
> >
> 
> I've been following, but I can't say I've been following closely.
> I'm on the stable{,-commits}@vger list and the rate at which this
> stuff is coming is too fast for human consumption.

So, as I am the one creating all of that "stuff", does that mean I'm
somehow not "human"?  :)

> We could just drop stabilization of vanilla-sources and have people
> follow ~arch.  That might be closer to the meaning of ~testing vs
> stable in other packages: other upstreams push out releases they
> consider stable, but we don't consider them stable within Gentoo
> until our QA team tests.

I agree.

> Another reason for dropping all vanilla-sources to ~arch is that we
> have some Gentoo specific needs that upstream will not and should
> not accept, eg we are making greater use of extended attributes in
> our package management, so we need end-to-end copying of xattrs.
> This means preserving certain namespaces (beyond security.* and
> trusted.*) on tmpfs for emerge.  Gentoo users that use
> vanilla-sources will loose those xattr values making vanilla-sources
> ~ with respect to the rest of Gentoo.

What?  So we are now relying on kernel patches that are not merged
upstream for proper operation of at Gentoo-based system?  That's news to
me, I've _never_ run a gentoo-based kernel on my boxes in all of my
years as a Gentoo developer, with no problems, and I don't think we want
to require this in the future, do you?

Also, why aren't these patches upstream?  Were they rejected?  Just not
ready?  No one submitted them?

Don't ever try to differentiate at the kernel level from other distros,
it's not worth it, and will cause problems in the end.  The other
distros have realized this, I thought we were smarter than that...

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22 14:43             ` Greg KH
@ 2013-06-22 16:46               ` Anthony G. Basile
  2013-06-24 22:05                 ` Greg KH
  0 siblings, 1 reply; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-22 16:46 UTC (permalink / raw
  To: gentoo-kernel

On 06/22/2013 10:43 AM, Greg KH wrote:
> On Sat, Jun 22, 2013 at 04:56:39AM -0400, Anthony G. Basile wrote:
>> On 06/21/2013 11:47 PM, Greg KH wrote:
>>> On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote:
>>>> The bug where this was discussed is
>>>>
>>>> https://bugs.gentoo.org/show_bug.cgi?id=338739
>>> Thanks for the link, unfortunatly, things have changed since then, with
>>> stable kernel releases happening much more frequently now (instead of
>>> about ever 2-3 weeks, it's now, 1-2 releases a week.
>>>
>>> So the chance for an arch team to mark anything is going to be tough.
>>>
>>> greg k-h
>>>
>> I've been following, but I can't say I've been following closely.
>> I'm on the stable{,-commits}@vger list and the rate at which this
>> stuff is coming is too fast for human consumption.
> So, as I am the one creating all of that "stuff", does that mean I'm
> somehow not "human"?  :)

Yes, yes it does :)  I was one of your 40 elect when you needed minion, 
but I just can't with all my other duties.

>
>> We could just drop stabilization of vanilla-sources and have people
>> follow ~arch.  That might be closer to the meaning of ~testing vs
>> stable in other packages: other upstreams push out releases they
>> consider stable, but we don't consider them stable within Gentoo
>> until our QA team tests.
> I agree.
>
>> Another reason for dropping all vanilla-sources to ~arch is that we
>> have some Gentoo specific needs that upstream will not and should
>> not accept, eg we are making greater use of extended attributes in
>> our package management, so we need end-to-end copying of xattrs.
>> This means preserving certain namespaces (beyond security.* and
>> trusted.*) on tmpfs for emerge.  Gentoo users that use
>> vanilla-sources will loose those xattr values making vanilla-sources
>> ~ with respect to the rest of Gentoo.
> What?  So we are now relying on kernel patches that are not merged
> upstream for proper operation of at Gentoo-based system?  That's news to
> me, I've _never_ run a gentoo-based kernel on my boxes in all of my
> years as a Gentoo developer, with no problems, and I don't think we want
> to require this in the future, do you?

Its related to PaX coming form the grsec/pax team.

>
> Also, why aren't these patches upstream?  Were they rejected?  Just not
> ready?  No one submitted them?

We need to maintain a special namespace on tmpfs beyond security.* and 
trusted.*  It is "user.pax.flags" and it is limited to 8 bytes. Without 
it, we will not have end-to-end xattr support for the namespaces we need 
in Gentoo.

As for why they are not upstream, I can try.  I'm like 99.9% certain it 
will be rejected but at the very least, if the rejection is "we don't 
need that crap" then I can safely ignore it, but if the rejection is 
"there's a gapping security whole" then we can at least address it even 
if in the end they pulled into vanilla.

>
> Don't ever try to differentiate at the kernel level from other distros,
> it's not worth it, and will cause problems in the end.  The other
> distros have realized this, I thought we were smarter than that...

Like the 50k line patch that Brad spews out every other day?  I 
understand your point but grsec/pax has a large enough user base and 
we've supported it for 10 years now.

As for not differentiating at the kernel level, our choice here was 
either that or differentiate at the toolchain level.  Try readelf -l on 
any Gentoo elf object and tell me what you see different than, oh say, 
OpenSuse.  A 5 line patch to mm/shmem.c in the kernel is a small price 
to pay for cleaning up the program headers of our elf objects 
userland-wide.  *That* will bring Genoo in line with other linux distros.

>
> thanks,
>
> greg k-h
>


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22  6:45         ` Tom Wijsman
@ 2013-06-24 16:27           ` Greg KH
  2013-06-24 23:26             ` Anthony G. Basile
                               ` (3 more replies)
  0 siblings, 4 replies; 35+ messages in thread
From: Greg KH @ 2013-06-24 16:27 UTC (permalink / raw
  To: gentoo-kernel

On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
> On Fri, 21 Jun 2013 20:42:44 -0700
> Greg KH <greg@kroah.com> wrote:
> 
> > On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
> > > On Fri, 21 Jun 2013 17:13:03 -0700
> > > Greg KH <gregkh@gentoo.org> wrote:
> > > 
> > > > Great!  But as only the latest version released is "stable",
> > > > that's all that should stick around, right?
> > > 
> > > Tricky decision to make. Do we really want to force people's kernel
> > > sources to unmerge every single time you push a new version? Which
> > > on its own turn, forces them to build and install the new kernel.
> > 
> > If they are following the vanilla kernels, isn't that what people
> > expect?  The latest stable-kernel-of-the-week, as that's what I'm
> > releasing.  They don't have to do an update if they don't want to :)
> 
> If we don't keep around other ebuilds their sources will unexpectedly
> unmerge upon a dependency clean; they can only stop it if they see it
> in the list of packages that will be unmerged, and do something to
> specifically keep them.

True, so we can keep around 3-4 older ebuilds if needed, per kernel
release.  But who really does a dependency clean these days, I've never
done one :)

So, what's the next step?  Should I announce the change to -dev?  Anyone
else really object to it?  Other thoughts?

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-22 16:46               ` Anthony G. Basile
@ 2013-06-24 22:05                 ` Greg KH
  0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-24 22:05 UTC (permalink / raw
  To: gentoo-kernel

On Sat, Jun 22, 2013 at 12:46:01PM -0400, Anthony G. Basile wrote:
> >>Another reason for dropping all vanilla-sources to ~arch is that we
> >>have some Gentoo specific needs that upstream will not and should
> >>not accept, eg we are making greater use of extended attributes in
> >>our package management, so we need end-to-end copying of xattrs.
> >>This means preserving certain namespaces (beyond security.* and
> >>trusted.*) on tmpfs for emerge.  Gentoo users that use
> >>vanilla-sources will loose those xattr values making vanilla-sources
> >>~ with respect to the rest of Gentoo.
> >What?  So we are now relying on kernel patches that are not merged
> >upstream for proper operation of at Gentoo-based system?  That's news to
> >me, I've _never_ run a gentoo-based kernel on my boxes in all of my
> >years as a Gentoo developer, with no problems, and I don't think we want
> >to require this in the future, do you?
> 
> Its related to PaX coming form the grsec/pax team.

Ah, this is just the "hardened" stuff, not the "normal" gentoo kernels,
right?

> >Also, why aren't these patches upstream?  Were they rejected?  Just not
> >ready?  No one submitted them?
> 
> We need to maintain a special namespace on tmpfs beyond security.*
> and trusted.*  It is "user.pax.flags" and it is limited to 8 bytes.
> Without it, we will not have end-to-end xattr support for the
> namespaces we need in Gentoo.
> 
> As for why they are not upstream, I can try.  I'm like 99.9% certain
> it will be rejected but at the very least, if the rejection is "we
> don't need that crap" then I can safely ignore it, but if the
> rejection is "there's a gapping security whole" then we can at least
> address it even if in the end they pulled into vanilla.

Any pointers to the patch so that I can take a look at it?

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-24 16:27           ` Greg KH
@ 2013-06-24 23:26             ` Anthony G. Basile
  2013-06-24 23:37             ` Tom Wijsman
                               ` (2 subsequent siblings)
  3 siblings, 0 replies; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-24 23:26 UTC (permalink / raw
  To: gentoo-kernel

On 06/24/2013 12:27 PM, Greg KH wrote:
> On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
>> On Fri, 21 Jun 2013 20:42:44 -0700
>> Greg KH <greg@kroah.com> wrote:
>>
>>> On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
>>>> On Fri, 21 Jun 2013 17:13:03 -0700
>>>> Greg KH <gregkh@gentoo.org> wrote:
>>>>
>>>>> Great!  But as only the latest version released is "stable",
>>>>> that's all that should stick around, right?
>>>>
>>>> Tricky decision to make. Do we really want to force people's kernel
>>>> sources to unmerge every single time you push a new version? Which
>>>> on its own turn, forces them to build and install the new kernel.
>>>
>>> If they are following the vanilla kernels, isn't that what people
>>> expect?  The latest stable-kernel-of-the-week, as that's what I'm
>>> releasing.  They don't have to do an update if they don't want to :)
>>
>> If we don't keep around other ebuilds their sources will unexpectedly
>> unmerge upon a dependency clean; they can only stop it if they see it
>> in the list of packages that will be unmerged, and do something to
>> specifically keep them.
>
> True, so we can keep around 3-4 older ebuilds if needed, per kernel
> release.  But who really does a dependency clean these days, I've never
> done one :)
>
> So, what's the next step?  Should I announce the change to -dev?  Anyone
> else really object to it?  Other thoughts?
>
> thanks,
>
> greg k-h
>

Greg,

This sounds okay to me, but let's see what the lead says.  You're best 
suited to decide which versions to keep or toss, so as far as I'm 
concerned, just do what you've been doing as I see from the ChangeLog.

There is, however, some disagreement about whether we should still 
continue stabilizing vanilla-sources, but we can debate that on -dev.

--Tony

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-24 16:27           ` Greg KH
  2013-06-24 23:26             ` Anthony G. Basile
@ 2013-06-24 23:37             ` Tom Wijsman
  2013-06-25  7:43               ` Marc Schiffbauer
  2013-06-25  3:09             ` Dale
  2013-06-27 19:45             ` Mike Pagano
  3 siblings, 1 reply; 35+ messages in thread
From: Tom Wijsman @ 2013-06-24 23:37 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 1925 bytes --]

On Mon, 24 Jun 2013 09:27:10 -0700
Greg KH <gregkh@gentoo.org> wrote:

> On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
> True, so we can keep around 3-4 older ebuilds if needed, per kernel
> release.  But who really does a dependency clean these days, I've
> never done one :)

Depends a bit on your workflow; in my case, I ...

1) Update my system on a daily basis.
2) Test many packages I don't actively use, typical on some herds.
3) Test many kernels, each having their own slot; leaving stuff behind.
4) Randomly emerge interesting software to try it; I usually do this
   with -1 so I don't forget to unmerge them, supposing I dep clean.

Especially those cases where there are dependency changes (whether
the dependency is no longer used or the slot changed) a lot of
dependencies (and some packages) can be left behind.

So, I do have to run it now and then or it will clog my system; not to
forget about the many other non Portage creep that could fill up.

> So, what's the next step? Should I announce the change to -dev?

I wonder if a news item is in place for this change, because we will
be dropping all stable keywords. If I remember correctly news items
have to pass the -dev ML. On the other hand, I don't really have an
idea of how important this issue is to be considered; though it may be
handy to err on the side of being more transparent towards our users.

> Anyone else really object to it?  Other thoughts?

I thought the idea of not stabilizing worked out the best, dropping
insecure and EOL versions and keeping the versions from the last month
of each branch around or so (we do this very last thing on g-s too).

No objections from me.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-24 16:27           ` Greg KH
  2013-06-24 23:26             ` Anthony G. Basile
  2013-06-24 23:37             ` Tom Wijsman
@ 2013-06-25  3:09             ` Dale
  2013-06-25  6:18               ` Douglas Dunn
  2013-06-27 19:45             ` Mike Pagano
  3 siblings, 1 reply; 35+ messages in thread
From: Dale @ 2013-06-25  3:09 UTC (permalink / raw
  To: gentoo-kernel

Greg KH wrote:
> True, so we can keep around 3-4 older ebuilds if needed, per kernel
> release. But who really does a dependency clean these days, I've never
> done one :) So, what's the next step? Should I announce the change to
> -dev? Anyone else really object to it? Other thoughts? thanks, greg k-h 

If you are referring to --depclean, I do that pretty regular here.  I
see it being recommended on -user and forums and have even seen it after
a emerge more than once. 

If you are referring to something else, disregard.

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-25  3:09             ` Dale
@ 2013-06-25  6:18               ` Douglas Dunn
  2013-06-27  4:15                 ` Greg KH
  0 siblings, 1 reply; 35+ messages in thread
From: Douglas Dunn @ 2013-06-25  6:18 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]

A users perspective about vanilla-kernel, but why not just mirror whats
available on kernel.org. keep it simple with the versions they offer there,
with their longterm stable and slowly remove their EOL, maybe give a
warning there till its gone from kernel and then make it gone from the tree.


On Mon, Jun 24, 2013 at 11:09 PM, Dale <rdalek1967@gmail.com> wrote:

> Greg KH wrote:
> > True, so we can keep around 3-4 older ebuilds if needed, per kernel
> > release. But who really does a dependency clean these days, I've never
> > done one :) So, what's the next step? Should I announce the change to
> > -dev? Anyone else really object to it? Other thoughts? thanks, greg k-h
>
> If you are referring to --depclean, I do that pretty regular here.  I
> see it being recommended on -user and forums and have even seen it after
> a emerge more than once.
>
> If you are referring to something else, disregard.
>
> Dale
>
> :-)  :-)
>
> --
> I am only responsible for what I said ... Not for what you understood or
> how you interpreted my words!
>
>
>

[-- Attachment #2: Type: text/html, Size: 1551 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-24 23:37             ` Tom Wijsman
@ 2013-06-25  7:43               ` Marc Schiffbauer
  0 siblings, 0 replies; 35+ messages in thread
From: Marc Schiffbauer @ 2013-06-25  7:43 UTC (permalink / raw
  To: gentoo-kernel

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Am Dienstag, 25. Juni 2013, 01:37:56 schrieb Tom Wijsman:
> 
> I wonder if a news item is in place for this change, because we will
> be dropping all stable keywords. If I remember correctly news items
> have to pass the -dev ML. On the other hand, I don't really have an
> idea of how important this issue is to be considered; though it may be
> handy to err on the side of being more transparent towards our users.
> 

I think this is worth a news item because stable users using vanilla-sources 
will rely on new stable kernels to appear for them. They should be informed 
about the fact that they now have to accept the ~ keyword in order to get 
updated kernel versions.

-Marc
-- 
0x35A64134 - 8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-25  6:18               ` Douglas Dunn
@ 2013-06-27  4:15                 ` Greg KH
  0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-06-27  4:15 UTC (permalink / raw
  To: gentoo-kernel

On Tue, Jun 25, 2013 at 02:18:12AM -0400, Douglas Dunn wrote:
> A users perspective about vanilla-kernel, but why not just mirror whats
> available on kernel.org. keep it simple with the versions they offer there,
> with their longterm stable and slowly remove their EOL, maybe give a warning
> there till its gone from kernel and then make it gone from the tree.

That's exactly what I am proposing, but keeping everything marked
"unstable" as there's no time to mark them stable before the next
release comes out with fixes that should be applied.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-24 16:27           ` Greg KH
                               ` (2 preceding siblings ...)
  2013-06-25  3:09             ` Dale
@ 2013-06-27 19:45             ` Mike Pagano
  2013-06-27 20:03               ` Anthony G. Basile
  2013-07-06 19:56               ` Greg KH
  3 siblings, 2 replies; 35+ messages in thread
From: Mike Pagano @ 2013-06-27 19:45 UTC (permalink / raw
  To: gentoo-kernel

On Mon, Jun 24, 2013 at 09:27:10AM -0700, Greg KH wrote:
> On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
> > On Fri, 21 Jun 2013 20:42:44 -0700
> > Greg KH <greg@kroah.com> wrote:
> > 
> > > On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
> > > > On Fri, 21 Jun 2013 17:13:03 -0700
> > > > Greg KH <gregkh@gentoo.org> wrote:
> > > > 
> > > > > Great!  But as only the latest version released is "stable",
> > > > > that's all that should stick around, right?
> > > > 
> > > > Tricky decision to make. Do we really want to force people's kernel
> > > > sources to unmerge every single time you push a new version? Which
> > > > on its own turn, forces them to build and install the new kernel.
> > > 
> > > If they are following the vanilla kernels, isn't that what people
> > > expect?  The latest stable-kernel-of-the-week, as that's what I'm
> > > releasing.  They don't have to do an update if they don't want to :)
> > 
> > If we don't keep around other ebuilds their sources will unexpectedly
> > unmerge upon a dependency clean; they can only stop it if they see it
> > in the list of packages that will be unmerged, and do something to
> > specifically keep them.
> 
> True, so we can keep around 3-4 older ebuilds if needed, per kernel
> release.  But who really does a dependency clean these days, I've never
> done one :)
> 
> So, what's the next step?  Should I announce the change to -dev?  Anyone
> else really object to it?  Other thoughts?
> 
> thanks,
> 
> greg k-h
> 

Are we agreed on a few facts?

1. Upstream release rate is now a much higher 1-2 kernels a week.
2. Very frequently, these releases contain security fixes.
3. This rate of release puts arch teams in a difficult position, since
it is unsustainable to try to keep up tp date with stabilization
4. By continuing the policy of providing a stable kernel version, Gentoo
is giving a false sense of security to its users, since by the time the
kernel does get stabilized, a newer version more with more security
fixes is almost always already released.

Auto stabling keywords again will give that false impression of Gentoo
QA on a particular arch, so I don't think I would want that.

A downside is that a kernel could be released that wont build on an
arch. Does that imply failure of our QA process? Or is it acceptable, as
a fix almost always follows right after that kind of situation.







-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-27 19:45             ` Mike Pagano
@ 2013-06-27 20:03               ` Anthony G. Basile
  2013-06-27 20:21                 ` Mike Pagano
  2013-07-06 19:56               ` Greg KH
  1 sibling, 1 reply; 35+ messages in thread
From: Anthony G. Basile @ 2013-06-27 20:03 UTC (permalink / raw
  To: gentoo-kernel

On 06/27/2013 03:45 PM, Mike Pagano wrote:
> On Mon, Jun 24, 2013 at 09:27:10AM -0700, Greg KH wrote:
>> On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
>>> On Fri, 21 Jun 2013 20:42:44 -0700
>>> Greg KH <greg@kroah.com> wrote:
>>>
>>>> On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
>>>>> On Fri, 21 Jun 2013 17:13:03 -0700
>>>>> Greg KH <gregkh@gentoo.org> wrote:
>>>>>
>>>>>> Great!  But as only the latest version released is "stable",
>>>>>> that's all that should stick around, right?
>>>>> Tricky decision to make. Do we really want to force people's kernel
>>>>> sources to unmerge every single time you push a new version? Which
>>>>> on its own turn, forces them to build and install the new kernel.
>>>> If they are following the vanilla kernels, isn't that what people
>>>> expect?  The latest stable-kernel-of-the-week, as that's what I'm
>>>> releasing.  They don't have to do an update if they don't want to :)
>>> If we don't keep around other ebuilds their sources will unexpectedly
>>> unmerge upon a dependency clean; they can only stop it if they see it
>>> in the list of packages that will be unmerged, and do something to
>>> specifically keep them.
>> True, so we can keep around 3-4 older ebuilds if needed, per kernel
>> release.  But who really does a dependency clean these days, I've never
>> done one :)
>>
>> So, what's the next step?  Should I announce the change to -dev?  Anyone
>> else really object to it?  Other thoughts?
>>
>> thanks,
>>
>> greg k-h
>>
> Are we agreed on a few facts?
>
> 1. Upstream release rate is now a much higher 1-2 kernels a week.
> 2. Very frequently, these releases contain security fixes.
> 3. This rate of release puts arch teams in a difficult position, since
> it is unsustainable to try to keep up tp date with stabilization
> 4. By continuing the policy of providing a stable kernel version, Gentoo
> is giving a false sense of security to its users, since by the time the
> kernel does get stabilized, a newer version more with more security
> fixes is almost always already released.
>
> Auto stabling keywords again will give that false impression of Gentoo
> QA on a particular arch, so I don't think I would want that.
>
> A downside is that a kernel could be released that wont build on an
> arch. Does that imply failure of our QA process? Or is it acceptable, as
> a fix almost always follows right after that kind of situation.
>
This is fine.  Within the space of all arches and all possible 
configurations, kernels always have bugs.  On vanilla-sources, these 
reports should go directly upstream.  If we have fixes, we should pass 
them upstream.

We should do a news item to alert users to the new policy.  What is the 
migration path to dropping stable keywords?  Some users may sit on 
stable kernels thinking that's where we are drawing the line of 
stability, while we've actually dropped that distinction all together.

--Tony

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA



^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-27 20:03               ` Anthony G. Basile
@ 2013-06-27 20:21                 ` Mike Pagano
  0 siblings, 0 replies; 35+ messages in thread
From: Mike Pagano @ 2013-06-27 20:21 UTC (permalink / raw
  To: gentoo-kernel

On Thu, Jun 27, 2013 at 04:03:51PM -0400, Anthony G. Basile wrote:
> On 06/27/2013 03:45 PM, Mike Pagano wrote:
> > On Mon, Jun 24, 2013 at 09:27:10AM -0700, Greg KH wrote:
> >> On Sat, Jun 22, 2013 at 08:45:25AM +0200, Tom Wijsman wrote:
> >>> On Fri, 21 Jun 2013 20:42:44 -0700
> >>> Greg KH <greg@kroah.com> wrote:
> >>>
> >>>> On Sat, Jun 22, 2013 at 02:45:16AM +0200, Tom Wijsman wrote:
> >>>>> On Fri, 21 Jun 2013 17:13:03 -0700
> >>>>> Greg KH <gregkh@gentoo.org> wrote:
> >>>>>
> >>>>>> Great!  But as only the latest version released is "stable",
> >>>>>> that's all that should stick around, right?
> >>>>> Tricky decision to make. Do we really want to force people's kernel
> >>>>> sources to unmerge every single time you push a new version? Which
> >>>>> on its own turn, forces them to build and install the new kernel.
> >>>> If they are following the vanilla kernels, isn't that what people
> >>>> expect?  The latest stable-kernel-of-the-week, as that's what I'm
> >>>> releasing.  They don't have to do an update if they don't want to :)
> >>> If we don't keep around other ebuilds their sources will unexpectedly
> >>> unmerge upon a dependency clean; they can only stop it if they see it
> >>> in the list of packages that will be unmerged, and do something to
> >>> specifically keep them.
> >> True, so we can keep around 3-4 older ebuilds if needed, per kernel
> >> release.  But who really does a dependency clean these days, I've never
> >> done one :)
> >>
> >> So, what's the next step?  Should I announce the change to -dev?  Anyone
> >> else really object to it?  Other thoughts?
> >>
> >> thanks,
> >>
> >> greg k-h
> >>
> > Are we agreed on a few facts?
> >
> > 1. Upstream release rate is now a much higher 1-2 kernels a week.
> > 2. Very frequently, these releases contain security fixes.
> > 3. This rate of release puts arch teams in a difficult position, since
> > it is unsustainable to try to keep up tp date with stabilization
> > 4. By continuing the policy of providing a stable kernel version, Gentoo
> > is giving a false sense of security to its users, since by the time the
> > kernel does get stabilized, a newer version more with more security
> > fixes is almost always already released.
> >
> > Auto stabling keywords again will give that false impression of Gentoo
> > QA on a particular arch, so I don't think I would want that.
> >
> > A downside is that a kernel could be released that wont build on an
> > arch. Does that imply failure of our QA process? Or is it acceptable, as
> > a fix almost always follows right after that kind of situation.
> >
> This is fine.  Within the space of all arches and all possible 
> configurations, kernels always have bugs.  On vanilla-sources, these 
> reports should go directly upstream.  If we have fixes, we should pass 
> them upstream.
> 
> We should do a news item to alert users to the new policy.  What is the 
> migration path to dropping stable keywords?  Some users may sit on 
> stable kernels thinking that's where we are drawing the line of 
> stability, while we've actually dropped that distinction all together.

You are 100% right on that. I've had users that refuse to upgrade
kernels because they were not stabilized. This is definitely news item
worthy.

> 
> --Tony
> 
> -- 
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail    : blueness@gentoo.org
> GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
> GnuPG ID  : F52D4BBA
> 
> 

-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions
  2013-06-27 19:45             ` Mike Pagano
  2013-06-27 20:03               ` Anthony G. Basile
@ 2013-07-06 19:56               ` Greg KH
  1 sibling, 0 replies; 35+ messages in thread
From: Greg KH @ 2013-07-06 19:56 UTC (permalink / raw
  To: gentoo-kernel

On Thu, Jun 27, 2013 at 03:45:04PM -0400, Mike Pagano wrote:
> Are we agreed on a few facts?
> 
> 1. Upstream release rate is now a much higher 1-2 kernels a week.
> 2. Very frequently, these releases contain security fixes.
> 3. This rate of release puts arch teams in a difficult position, since
> it is unsustainable to try to keep up tp date with stabilization
> 4. By continuing the policy of providing a stable kernel version, Gentoo
> is giving a false sense of security to its users, since by the time the
> kernel does get stabilized, a newer version more with more security
> fixes is almost always already released.

I agree with all of this, so, who is going to create the news item?  I
think we should do this before 3.10.1 is out, just to start it all
during a new kernel release cycle, which should happen by the end of
next week, pending something causing me to delay it.

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 35+ messages in thread

end of thread, other threads:[~2013-07-06 19:56 UTC | newest]

Thread overview: 35+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-21 14:58 [gentoo-kernel] vanilla-kernel sources should not be marked stable for obsolete versions Greg KH
2013-06-21 15:30 ` Mike Pagano
2013-06-21 15:46   ` Anthony G. Basile
2013-06-21 16:49     ` Greg KH
2013-06-21 16:48   ` Greg KH
2013-06-21 17:20     ` Eric F. GARIOUD
2013-06-21 17:50       ` Greg KH
2013-06-21 19:51         ` Eric F. GARIOUD
2013-06-21 21:03           ` Greg KH
2013-06-21 19:36     ` Mike Pagano
2013-06-21 21:06       ` Greg KH
2013-06-22  0:23   ` Tom Wijsman
2013-06-22  0:02 ` Tom Wijsman
2013-06-22  0:12   ` Greg KH
2013-06-22  0:13   ` Greg KH
2013-06-22  0:45     ` Tom Wijsman
2013-06-22  1:54       ` Anthony G. Basile
2013-06-22  3:47         ` Greg KH
2013-06-22  8:56           ` Anthony G. Basile
2013-06-22 14:43             ` Greg KH
2013-06-22 16:46               ` Anthony G. Basile
2013-06-24 22:05                 ` Greg KH
2013-06-22  3:42       ` Greg KH
2013-06-22  6:45         ` Tom Wijsman
2013-06-24 16:27           ` Greg KH
2013-06-24 23:26             ` Anthony G. Basile
2013-06-24 23:37             ` Tom Wijsman
2013-06-25  7:43               ` Marc Schiffbauer
2013-06-25  3:09             ` Dale
2013-06-25  6:18               ` Douglas Dunn
2013-06-27  4:15                 ` Greg KH
2013-06-27 19:45             ` Mike Pagano
2013-06-27 20:03               ` Anthony G. Basile
2013-06-27 20:21                 ` Mike Pagano
2013-07-06 19:56               ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox