Leo Famulari <l...@famulari.name> writes:
> On Sun, Jun 04, 2017 at 02:11:39AM -0400, Mark H Weaver wrote:
>> Does anyone here still need linux-libre@4.1 in Guix? If not, I'd like
>> to remove it.
>>
>> Upstream security updates for it seem to be quite infrequent (2.5 months
>> between the last two releases), and the recent update to 4.1.40
>> neglected to include a fix for CVE-2017-6074, which does not inspire
>> confidence.
>>
>> What do you think?
>
> I don't have a strong objection. If somebody needs this particular Linux
> release
> series later, it will not be difficult for them to recreate.
>
> On the other hand, the 4.1 series has been selected for the Linux Foundation's
> Long Term Support Initiative. This program will support Linux releases for
> longer than usual, so 4.1 will be in use for longer than most of the Linux LTS
> releases.
>
> Besides, kernel bugs are not rare. More will be found and disclosed, and some
> will be found and kept private :/
Sure, but the 4.9 and 4.4 series kernels receive security updates quite
promptly, whereas the upstream 4.1 kernel has been vulnerable to
CVE-2017-6074 for several months without an update, and when the update
finally came, it neglected to include a fix for it.
> I recommend waiting a few days for more comments. IIRC, we kept this
> particular
> series to work around some bugs related to GuixSD and Libreboot. So, there
> were
> some people using it. I'd hate to "strand" existing users who might not notice
> that they are not receiving updates to the 'linux-4.1' package they've
> specified
> in their GuixSD configuration.
Yes, of course, that's why I asked. If some Libreboot users still need
4.1, then we'll keep it. However, I have a vague recollection of
hearing that the problem with Libreboot has since been resolved.
> If Hydra resources are a concern, perhaps we could keep the package but not
> build it.
No, my only concern is that I've lost confidence in the security of the
4.1 kernels.
Regards,
Mark
