On Wed, Sep 29, 1999 at 02:42:38AM -0700, Seth R Arnold wrote: > On Wed, Sep 29, 1999 at 10:27:43AM +0000, Marcin Owsiany wrote: > > On Tue, Sep 28, 1999 at 09:41:26PM -0500, Ashley Clark wrote: > > > On Tue, 28 Sep 1999, Marcin Owsiany wrote: > > > > the way to solve the problem would be to create a package called e.g. > > > > "secure-kernel", which would depend on the most secure > > > > "kernel-image-<ver>". > > > > Then if the security team has newer kernel with security bugfixes, they > > > > would make a new version of "secure-kernel" which would depend on the > > > > fixed > > > > kernel. > > > > > > I, for one, wouldn't want my kernel upgraded automatically, no matter > > > what the fixes involved are. Here's why: I have compiled my own > > > kernel with my hardware selected (sound, tape drive, scsi card, > > > network card) and Debian simply can't afford to make all possible > > > combinations of kernel configurations to provide an easy upgrade path > > > for users. Now, possibly there could be some kind of secure-kernel > > > package which would do nothing more than simply inform you during > > > upgrade that a newer kernel with such-and-such security patches is > > > available and recommend how to upgrade, that's seems more reasonable > > > to me at least. > > > > That is the point of this idea. If you want your kernel to be upgraded > > automatically, you install secure-kernel, if you only want to be informed, > > you install secure-kernel-info, if you don't care at all, you instal > > neither. > > I am still very leery of automatic kernel updating... I do rather like the > idea of secure-kernel-info, as Marcin has described it, but it needs a > better name; secure-kernel just won't do it. kernel-update-watcher perhaps.
but of course, i know the names need improving > However, if security is enough of an issue for you that you think a kernel > package should be made around it, maybe you should keep an eye on bugtraq > and freshmeat, or a cron-job to grab the LATEST-VERSION-IS file from the > kernel.org servers -- no matter which approach is taken, it will be faster > than waiting for a new kernel package to come along... I guess this kind of kernel packages would be for people quite concerned about security but also quite lazy :) Also if you administer a lot of boxes, and if they work ok with the default kernel you will find it _a lot_ more convenient to automatically upgrade kernel than to compile it for each box... Just my 0.02 Marcin -- --------------------------------- Marcin Owsiany [EMAIL PROTECTED] ---------------------------------