On Thursday, June 29, 2006 9:58 AM -0500, Ralph Katz wrote: > On 06/29/2006, Linas Žvirblis wrote: > > > Why should it? Many people prefer to manually choose their > > kernels, as this is not something you can upgrade at any given > > time. It is not a problem either way - installing or removing a > > meta package is not that hard, is it? > > Hi Linas, > > You are correct that installing the meta package is not hard. > > The issue is security; without the meta package, kernel updates are > /not/ automatic with apt-get/aptitude upgrades. For desktop users > and non-developers like me who maintain our own systems, it's easy > to miss the fact that kernel security updates are skipped without > the meta package. For this reason, I believe the current default > installation procedure and docs are flawed. > > But it seems I'm alone on this as my post to this list got no > response last April, > http://lists.debian.org/debian-user/2006/04/msg00547.html pasted > below.
I agree with Ralph: this is a packaging problem that creates a security problem for the less expert users. While it is true that it's not hard to manually install the meta-package, here's the reason I believe it should be installed as the default. Compiling a new kernel, while not all that difficult, is not something the average desktop user typically does. It is also not something the average desktop user should be required to read about, or even deal with a dialog concerning pro's and con's during an install. This is likely to generate more confusion and unnecessary requests for help. Some Debian purists may consider this an opportunity to educate new users as to the options available, without regard to whether they want or need such information. I don't think it's unreasonable criterion that someone who just wants to create a Debian desktop install for the stable distribution should be able to go through the installation procedure and wind up with a system where _all_ security fixes are applied through the normal update tools. They shouldn't _have_ to read lots of manuals, and be confused by myriad options they don't understand, in order to achieve that result. They also should not have to go to Ubuntu, which exists at the whim of a single wealthy and well-intentioned individual. Making an exception for the kernel is getting it backwards. It's the experienced users that compile their own kernels, or use a kernel from other than the stable distribution, who should disable the automatic notifications in the update tools. In their case, even if they fail to get rid of the meta-package, they know enough to ignore any kernel update notifications they receive through apt-get update. Average desktop users, OTOH, don't even know they are missing a kernel security upgrade unless they read the fine print in the installation manual (assuming we add it) or subscribe to the Debian Security list. While in the ideal world, all users would do both of those things, most average desktop users will do neither. The punishment for that should not be a kernel with known security flaws. Nor should we erect barriers to average users who would otherwise be satisfied with a Debian system in favor of an unnamed commercial one. Retaining the requirement to manually add the kernel meta-package, if you want kernel security upgrades, is not a reasonable way to go, IMHO. Making it part of the default install, and adding a note in the install manual for advanced users as to when and how to disable it, makes a lot more sense. If we continue to insist on keeping things as they are, our place as an O/S with an 8% desktop share is quite secure. Demanding that users must educate themselves might feel righteous, but it won't attract new users. Does this approach "coddle" new users? Perhaps. Isn't that a bad idea? No, because Debian is just a tool, not a way of life. While there are many admirable social goals in the Debian project and the open-software movement, those are secondary for most users. They decide whether or not to use a given piece of software because of how much it improves their productivity and how much trouble it is. After using it for a while, _some_ of them will figure out that the reason it works as well as it does is because of the open-source development model, and will decide that's a valuable thing on it's own. That's all we need. -- Seth Goodman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
