e 03/10/2023 à 19:06, Bjørn Mork a écrit :
herve <he...@couvelard.com> writes:
concerning the linux-headers. may i explain what happend to me.
I reinstalled a debian 11.6 some months ago. and last week i had to
make virtualbox functioning again. it had to "compile" some kernel
modules and need some "headers". my kernel (from the install is
5.10.0-23-amd64 #1 SMP Debian 5.10.179-3 (2023-07-27) x86_64
GNU/Linux) so virtualbox need some 5.10.0-23 headers... you can find
5.10.0.20, 5.10.0.22, 5.10.0.25 in the repos from where the install
came from.
I had to surf the web and find a 5.10.0.23 in the web site of an
university and wget it to dpkg -i it.
No, you didn't. You could, and should, simply update the kernel with
the latest security fixes, and then install the matching headers from
the same repo.
I do not know (maybe i could not even understand) the security
reasons/problems of the headers versioning but it seems from my
end-user point of view that, the actual situation that lend me to
download from a website is the worst possible solution.
Running out-of-tree kernel code means that you can't use the security
card. Sorry.
Bjørn
Bjørn
thank you for your answer.
I remember that linus had the aim to be the less annoying for the
user-expérience. I can understand _your_ point of view to have the
"kernel-three-code" and the "security" card things. the fact is i didn't
choose neither testing, neither sid but stable. And in my experience
upgrading kernel is not always smooth. so I used to keep the same
kernel, until it is important to change, and i have time to do it. Not
when i have to run a wm to finish a job.
It is, from my point of view a "geek" stuff to "delete" the packages
from the repos. _you_ think I _must_ upgrade my kernel. OK. But if it
was so simple their would not have theses messages on the list. When i
tried to install the headers i had no message i should upgrade, just the
packages were not existing (the same that if there was was a typo). So i
surfed the web to find it. How could i know that i _should_ upgrade to
benefit the right to get some headers ? If i installed them in the same
time as the kernel, i would have them already : which differences in
terms of security (installed in july - installed in september) ?
I just want to point, that i didn't initiate a thread to complain, i
just share my experience on an existing thread about headers and
security. i was not shamming security or else. i was just saying that
the politic to improve security pushed me to download from the web
instead of the repos. is the solution worse than the disease ? I use
linux on the desktop for almost 25 years, red hat, then fedora, then
debian and that never happened until last week. I was thinking that the
difference between free software and proprietary one is the possibility
for free software user to upgrade when _they_ want and not when the
_supplier_ decide they should. and suppress headers is _forcing_ user to
upgrade.
So to conclude, my experience is not a way to propose or impose a
solution but to point that there are sometimes between chair and screen
some "normal" persons that just want things to run. If the solution
proposed by virtualbox (install headers, naming them) could not
function, they will install something else. And, if i find alone the
solution by some little experience, lots of people won't. Of course you
are right about "Running out-of-tree kernel code" but that would not
help them.
Linux is not so easy, maybe it is not a good idea to had some
complications. if a kernel is so rapidly "out-of-tree" why let it in the
"stable" distribution ?
my 2 cents.
hervé
ps : i really understand your point of view, i just want to say it is
not in the 10 commandments
