Re: Some thoughts about stable kernel development

[John Bradford]

Quote from Rob Landley <rob@xxxxxxxxxxx>:
> On Sunday 09 November 2003 13:50, John Bradford wrote:
> > Hi Linus,
> >
> > [Off-list]
> >
> > Quote from Krzysztof Halasa <khc@xxxxxxxxx>:
> > > Such a scenario is real and that way we might
> > > end up with official kernel being unusable for any Internet-connected
> > > tasks for weeks.
> >
> > This does highlight a real issue - I am concerned by the number of
> > posts on sites like lwn.net saying things like, "Oh, I'm using 2.6 as
> > my standard kernel now", when it is clear that a lot of those users
> > simply do not understand the issues.
> 
> At the same time, you _want_ as many testers as you can get finding the 
> strange bugs where burning cd's on an ACPI-powered laptop interacts strangely 
> with 3D acceleration.  And now that we're in the -test series, we want _more_ 
> of them.

Note - this was post incomplete and badly thought out - I never
intended this to go to the list, as evidenced by the [Off-list]
comment, and the only reason it was sent at all is because I hit send
instead of delete, (and hadn't trimmed the CC list yet).

What I originally intended to say in a private comment to Linus, is
that it might be worth trying to make people more aware that security
patches that went in to 2.4 never went in to 2.6, nothing more, and
nothing less.  I am NOT trying to put people off of testing, and never
have been, (which is the impression I got from your response).

> Security considerations are just one more element 
> of the party mix, and most of these are local (they've got to have broken 
> into the box ANYWAY, it just potentially lets 'em crack root once they're 
> in).
> 
> I'm still a lot more worried about what the kernel's doing to my filesystem 
> than what some malicious twit on the internet is likely to do.  That's the 
> main reason it's still -test...

No, I disagree.  If somebody's filesystem gets eaten, and they didn't
back up, well, they should have done.  That's common sense.

On the other hand, many users out there are _obviously_ under the
illusion that 2.6.0-test has no known security issues, and that is
false.  If their machine is internet-connected and compromised, it can
cause annoyance to third parties.  Given that, I think a file in the
root of the kernel tree, saying something like, "Don't use me on an
internet connected machine unless you know what you're doing" would be
worth considering.

John.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/