On Fri, Oct 09, 2009 at 05:49:13PM -0400, Michael Gilbert wrote:
> > On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
> >> the linux-kbuild-2.6 source package includes portions of code from the
> >> linux-2.6 source package (i.e. everything in ./kbuild/*). this is bad
> >> in terms of security support because it causes more work for the
> >> security team and increases the risk of errors, omissions, and mistakes.
> > No, it does not. It is a different source package and both are derived
> > from the same upstream code.
> two different source packages with portions being the same code are
> considered a case of an embedded code copy; which is generally
> considered bad practice from a security perspective.
Well, please start with every source using autoconf then. autoconf
embeds copies of a large amount of source code snippets in the targets.
This have about the same practical relevance and use then the code we
are talking about.
> >> less significant, but also important, is that since the kbuild package
> >> is separated from the linux package, the kbuild packages always lag by
> >> weeks or months after a new kernel release; making it impossible to
> >> build modules for that new kernel.
> >> the recommended course of action is to update the linux-2.6 source
> >> package to also build the kbuild binaries. thanks.
> > This is not possible for other reasons.
> what are these reasons, and why do they seem so insurmountable?
They are backed by ยง4 Social Contract. To be exact, it is part of the
cross-compile support in the linux packages. And yes, this is heavily
used.
Bastian
--
Vulcans worship peace above all.
-- McCoy, "Return to Tomorrow", stardate 4768.3
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
