Re: Kernel upgrade for 3Ware Driver issues?

[Holger Levsen]

Hi,

On Wednesday 23 April 2008 13:24, Rolf Kutz wrote:
> Ack. But there should be a way to fix rc-bugs even
> after release.

There is. Even for ("only") important bugs. 

The howto in short: have a bug with patch in the BTS, send mail to 
debian-release and ask about this bug to be allowed to be fixed in a point 
release (by an upload to stable-proposed-updates, which is then later allowed 
to be migrated to stable). This happens all the time. (Since sarge IIRC.)

So there is absoletly no need (and use) to turn something into a security 
issue which is none.


regards,
Holger


pgpgsfnmfpVL5.pgp
Description: PGP signature

Re: Kernel upgrade for 3Ware Driver issues?

[Simon Valiquette]

Rolf Kutz un jour écrivit:

On 23/04/08 07:00 -0400, Michael Stone wrote:


disk"--systems maintainence issue.) The end result of data security 
processes should lead you to backups or some other contingency plan, 
no shoving arbitrary software into stable because it scratches your 
itch. Instead of blowing the computer security horn because that horn 
happens to have resources attached to it, you should pursue the 
general systems maintenance horn because that's what this problem is. 
(The you here is plural, and this is an industry-wide problem.)


Ack. But there should be a way to fix rc-bugs even
after release.



  I fully agree that this bug doesn't deserve a security update, but I 
see no reason for not fixing in 4.0r4 what would normally be considered a 
release critical bug.


  Since there is not urgency to release, or security issues involved, It 
would be easy to publicly ask people to test the fix in order to get 
better testing.


  I my opinion, the only proper period to include those fix are when 
there is a new revision, or maybe before if there is another problem that 
already deserve a DSA and that the security team feels comfortable to 
include both fix at the same time.


  But there should be an official way to get major problems fixed when 
the risk of breaking somethings is low enough.


Simon Valiquette


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Rolf Kutz]

On 23/04/08 07:00 -0400, Michael Stone wrote:


needs to be scoped.  There is no benefit whatsoever to defining 
*anything bad that happens* as a computer security issue. ("Oops, I 
acidentally deleted my own file"--no, you screwed up, "Oops, the 
building burned down"--bigger problem than computer security; "Oops, 
aliens destroyed the planet"--ditto; "oops, flakey driver ate my hard 


Everybody keeps off site backups! :)

disk"--systems maintainence issue.) The end result of data security 
processes should lead you to backups or some other contingency plan, no 
shoving arbitrary software into stable because it scratches your itch. 
Instead of blowing the computer security horn because that horn happens 
to have resources attached to it, you should pursue the general systems 
maintenance horn because that's what this problem is. (The you here is 
plural, and this is an industry-wide problem.)


Ack. But there should be a way to fix rc-bugs even
after release.

regards, Rolf

--
I died. [...]
Five seconds later, I'm getting the upside of 15Kv across the nipples.
(These ambulance guys sure know how to party).


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Michael Stone]

On Wed, Apr 23, 2008 at 09:14:28AM +0200, Vladislav Kurz wrote:
This bight be a little off-topic, but I'd like to know if there is a 
definition of what is a "security issue" ? Once I learned that security 
consists of confidentiality, integrity and availability. And data corruption 
destroys integrity and availability.


CIA is a common way to talk abou the goals of computer security, but it 
needs to be scoped.  There is no benefit whatsoever to defining 
*anything bad that happens* as a computer security issue. ("Oops, I 
acidentally deleted my own file"--no, you screwed up, "Oops, the 
building burned down"--bigger problem than computer security; "Oops, 
aliens destroyed the planet"--ditto; "oops, flakey driver ate my hard 
disk"--systems maintainence issue.) The end result of data security 
processes should lead you to backups or some other contingency plan, no 
shoving arbitrary software into stable because it scratches your itch. 
Instead of blowing the computer security horn because that horn happens 
to have resources attached to it, you should pursue the general systems 
maintenance horn because that's what this problem is. (The you here is 
plural, and this is an industry-wide problem.)


Mike Stone


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Vladislav Kurz]

On Wednesday 23 of April 2008, dann frazier wrote:
> On Tue, Apr 22, 2008 at 04:45:53PM -0600, Michael Loftis wrote:
> > --On April 22, 2008 11:21:25 PM +0200 Florian Weimer <[EMAIL PROTECTED]>
> >
> > wrote:
> >> I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
> >> controllers is pretty small, otherwise this bug would have been noticed
> >> earlier.  So the sky is not falling.
> >>
> >> Technically, this is not a security bug.
> >
> > It definitely affects non-64bit systems too, contrary to 3Ware's claims.
> > We had corruption on a 32bit system, which is what prompted us to start
> > figuring it out.
> >
> > And I agree, technically it isn't, but security is one of the few ways to
> > get updates into the distribution that are NMU.
>
> But that doesn't make them security issues. Don't get me wrong, I'd be
> all for a more fluid update process for non-security/critical issues,
> but it doesn't exist at the moment. The security team controls what
> goes out as a security update, and we're not going to get the security
> team to release a security update for a non-security issue.
>
> --
> dann frazier

Hello,

This bight be a little off-topic, but I'd like to know if there is a 
definition of what is a "security issue" ? Once I learned that security 
consists of confidentiality, integrity and availability. And data corruption 
destroys integrity and availability.

-- 
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Florian Weimer]

* dann frazier:

> But that doesn't make them security issues. Don't get me wrong, I'd be
> all for a more fluid update process for non-security/critical issues,
> but it doesn't exist at the moment. The security team controls what
> goes out as a security update, and we're not going to get the security
> team to release a security update for a non-security issue.

Nowadays, we've got stable-proposed-updates, which works pretty well.
The issue should be fixed in the etch + 1/2 kernel which is available
there.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[dann frazier]

On Tue, Apr 22, 2008 at 04:45:53PM -0600, Michael Loftis wrote:
>
>
> --On April 22, 2008 11:21:25 PM +0200 Florian Weimer <[EMAIL PROTECTED]> 
> wrote:
>
>
>>
>> I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
>> controllers is pretty small, otherwise this bug would have been noticed
>> earlier.  So the sky is not falling.
>>
>> Technically, this is not a security bug.
>
> It definitely affects non-64bit systems too, contrary to 3Ware's claims. We 
> had corruption on a 32bit system, which is what prompted us to start 
> figuring it out.
>
> And I agree, technically it isn't, but security is one of the few ways to 
> get updates into the distribution that are NMU.

But that doesn't make them security issues. Don't get me wrong, I'd be
all for a more fluid update process for non-security/critical issues,
but it doesn't exist at the moment. The security team controls what
goes out as a security update, and we're not going to get the security
team to release a security update for a non-security issue.

-- 
dann frazier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Michael Loftis]

--On April 22, 2008 11:21:25 PM +0200 Florian Weimer <[EMAIL PROTECTED]> 
wrote:





I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
controllers is pretty small, otherwise this bug would have been noticed
earlier.  So the sky is not falling.

Technically, this is not a security bug.


It definitely affects non-64bit systems too, contrary to 3Ware's claims. 
We had corruption on a 32bit system, which is what prompted us to start 
figuring it out.


And I agree, technically it isn't, but security is one of the few ways to 
get updates into the distribution that are NMU.




--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Florian Weimer]

* Michael Loftis:

> The 2.6.18-6 kernel has a buggy 3w- driver.  Causes data
> corruption on (at least) EM64T w/ 4+GB of RAM.  I'm also pretty sure
> it's the cause of corruption on EM64T systems in 32-bit mode even w/o
> 4+GB of RAM. Specifically it affects 7xxx and 8xxx series cards.
>
> 
>
> 
>
> In any event this is a pretty serious bug affecting a pretty large
> number of systems, more than what 3Ware seems to be admitting, so is
> there any plan to issue an update?

I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
controllers is pretty small, otherwise this bug would have been noticed
earlier.  So the sky is not falling.

Technically, this is not a security bug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]