On Fri, 09 Oct 2009 21:09:06 +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the linux-kbuild-2.6 package: > > #550379: linux-kbulid-2.6: embeds linux-2.6 > > It has been closed by Bastian Blank <wa...@debian.org>. > > On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote: >> the linux-kbuild-2.6 source package includes portions of code from the >> linux-2.6 source package (i.e. everything in ./kbuild/*). this is bad >> in terms of security support because it causes more work for the >> security team and increases the risk of errors, omissions, and mistakes. > > No, it does not. It is a different source package and both are derived > from the same upstream code.
two different source packages with portions being the same code are considered a case of an embedded code copy; which is generally considered bad practice from a security perspective. > Also security support for the kernel is solely done by the team itself. i am acutely aware of this, and you could be making life easier for yourself (or more accurately for Dann Frazier since he is the primary kernel-sec contributor). >> less significant, but also important, is that since the kbuild package >> is separated from the linux package, the kbuild packages always lag by >> weeks or months after a new kernel release; making it impossible to >> build modules for that new kernel. >> the recommended course of action is to update the linux-2.6 source >> package to also build the kbuild binaries. thanks. > > This is not possible for other reasons. what are these reasons, and why do they seem so insurmountable? mike -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
