RE: Sarge Kernel Image Package Question

On Thursday, June 29, 2006 9:58 AM -0500, Ralph Katz wrote:

On 06/29/2006, Linas Žvirblis wrote:

Why should it? Many people prefer to manually choose their
kernels, as this is not something you can upgrade at any given
time. It is not a problem either way - installing or removing a
meta package is not that hard, is it?

Hi Linas,

You are correct that installing the meta package is not hard.

The issue is security; without the meta package, kernel updates are
/not/ automatic with apt-get/aptitude upgrades. For desktop users
and non-developers like me who maintain our own systems, it's easy
to miss the fact that kernel security updates are skipped without
the meta package. For this reason, I believe the current default
installation procedure and docs are flawed.

But it seems I'm alone on this as my post to this list got no
response last April,
http://lists.debian.org/debian-user/2006/04/msg00547.html pasted
below.

I agree with Ralph: this is a packaging problem that creates a security
problem for the less expert users. While it is true that it's not hard
to manually install the meta-package, here's the reason I believe it
should be installed as the default.

Compiling a new kernel, while not all that difficult, is not something
the average desktop user typically does. It is also not something the
average desktop user should be required to read about, or even deal with
a dialog concerning pro's and con's during an install. This is likely
to generate more confusion and unnecessary requests for help. Some
Debian purists may consider this an opportunity to educate new users as
to the options available, without regard to whether they want or need
such information.

I don't think it's unreasonable criterion that someone who just wants to
create a Debian desktop install for the stable distribution should be
able to go through the installation procedure and wind up with a system
where _all_ security fixes are applied through the normal update tools.
They shouldn't _have_ to read lots of manuals, and be confused by myriad
options they don't understand, in order to achieve that result. They
also should not have to go to Ubuntu, which exists at the whim of a
single wealthy and well-intentioned individual.

Making an exception for the kernel is getting it backwards. It's the
experienced users that compile their own kernels, or use a kernel from
other than the stable distribution, who should disable the automatic
notifications in the update tools. In their case, even if they fail to
get rid of the meta-package, they know enough to ignore any kernel
update notifications they receive through apt-get update.

Average desktop users, OTOH, don't even know they are missing a kernel
security upgrade unless they read the fine print in the installation
manual (assuming we add it) or subscribe to the Debian Security list.
While in the ideal world, all users would do both of those things, most
average desktop users will do neither. The punishment for that should
not be a kernel with known security flaws. Nor should we erect barriers
to average users who would otherwise be satisfied with a Debian system
in favor of an unnamed commercial one.

Retaining the requirement to manually add the kernel meta-package, if
you want kernel security upgrades, is not a reasonable way to go, IMHO.
Making it part of the default install, and adding a note in the install
manual for advanced users as to when and how to disable it, makes a lot
more sense. If we continue to insist on keeping things as they are, our
place as an O/S with an 8% desktop share is quite secure. Demanding
that users must educate themselves might feel righteous, but it won't
attract new users.

Does this approach "coddle" new users? Perhaps. Isn't that a bad idea?
No, because Debian is just a tool, not a way of life. While there are
many admirable social goals in the Debian project and the open-software
movement, those are secondary for most users. They decide whether or
not to use a given piece of software because of how much it improves
their productivity and how much trouble it is. After using it for a
while, _some_ of them will figure out that the reason it works as well
as it does is because of the open-source development model, and will
decide that's a valuable thing on it's own. That's all we need.

--
Seth Goodman


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • input method on fc3?
    ... FC3 and soundcard ... >> without problems and sound works fine. ... What modules were loaded with kernel ... I can install and configure samba on Linux as easily as I can install ...
    (Fedora)
  • Fedora Core 2, Averatec 3220 notebook
    ... I recently bought an Averatec 3220 notebook computer and have spent some ... Following is a detailed "howto" guide for installing Linux (Fedora Core ... Linux distro, which is easy to install and use, and for lots of answers ... We need one because the default Fedora Core kernel doesn't grok NTFS ...
    (Fedora)
  • Re: install woes
    ... looking at the Fedora 9 64bit DVD: ... I'd try the acpi=off, but I didn't need any boot options, as far as I remember ... appended the kernel, probably post-install. ... but on attempting to install, it freezes up at the test media screen. ...
    (Fedora)
  • Yum upgrade from F8 to F8 with KDE desktop - installation notes
    ... nVidia drivers from Freshrpms, and I had to install the latest nVidia driver ... kernel in step 5; once I did that, the dkms package (which gets installed from ... relevant info to do a yum upgrade a bit daunting. ... Use your preferred method to install the above file: ...
    (Fedora)
  • Yum upgrade from F8 to F9 with KDE desktop - installation notes
    ... nVidia drivers from Freshrpms, and I had to install the latest nVidia driver ... kernel in step 5; once I did that, the dkms package (which gets installed from ... Use your preferred method to install the above file: ...
    (Fedora)