RE: Sarge Kernel Image Package Question

On Thu, 2006-06-29 at 13:02 -0500, Seth Goodman wrote:
On Thursday, June 29, 2006 9:58 AM -0500, Ralph Katz wrote:
On 06/29/2006, Linas Žvirblis wrote:
Why should it? Many people prefer to manually choose their
kernels, as this is not something you can upgrade at any given
time. It is not a problem either way - installing or removing a
meta package is not that hard, is it?

The issue is security; without the meta package, kernel updates are
/not/ automatic with apt-get/aptitude upgrades. For desktop users
and non-developers like me who maintain our own systems, it's easy
to miss the fact that kernel security updates are skipped without
the meta package. For this reason, I believe the current default
installation procedure and docs are flawed.

I agree with Ralph: this is a packaging problem that creates a security
problem for the less expert users. While it is true that it's not hard
to manually install the meta-package, here's the reason I believe it
should be installed as the default.
...
I don't think it's unreasonable criterion that someone who just wants to
create a Debian desktop install for the stable distribution should be
able to go through the installation procedure and wind up with a system
where _all_ security fixes are applied through the normal update tools.
They shouldn't _have_ to read lots of manuals, and be confused by myriad
options they don't understand, in order to achieve that result. They
also should not have to go to Ubuntu, which exists at the whim of a
single wealthy and well-intentioned individual.
...
Average desktop users, OTOH, don't even know they are missing a kernel
security upgrade unless they read the fine print in the installation
manual (assuming we add it) or subscribe to the Debian Security list.
While in the ideal world, all users would do both of those things, most
average desktop users will do neither. The punishment for that should
not be a kernel with known security flaws. Nor should we erect barriers
to average users who would otherwise be satisfied with a Debian system
in favor of an unnamed commercial one.

Whoa, am I missing a kernel security upgrade?

Retaining the requirement to manually add the kernel meta-package, if
you want kernel security upgrades, is not a reasonable way to go, IMHO.
Making it part of the default install, and adding a note in the install
manual for advanced users as to when and how to disable it, makes a lot
more sense. If we continue to insist on keeping things as they are, our
place as an O/S with an 8% desktop share is quite secure. Demanding
that users must educate themselves might feel righteous, but it won't
attract new users.

Does this approach "coddle" new users? Perhaps. Isn't that a bad idea?
No, because Debian is just a tool, not a way of life. While there are
many admirable social goals in the Debian project and the open-software
movement, those are secondary for most users. They decide whether or
not to use a given piece of software because of how much it improves
their productivity and how much trouble it is. After using it for a
while, _some_ of them will figure out that the reason it works as well
as it does is because of the open-source development model, and will
decide that's a valuable thing on it's own. That's all we need.

It seems that to me any decent Linux distribution ought to be, by
default, reasonably secure. Manual installation of the bare necessities
(at the least) for security should be left down the ladder at MS
Windows.

So what is the "meta-package" that should be installed? On my system,
Sarge amd64, I have installed kernel-image-2.6-amd64-k8, which depends
on the latest 2.6.8 kernel image (kernel-image-2.6.8-12-amd64-k8). Is
this the meta-package? [...I check the previous messages on this
thread...] Okay, so it is.

So this isn't installed by default? No? Why not?! Why else does
anyone upgrade the stable distribution than for security? The kernel
should certainly be included in that, /by default/.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: messed up upgrade 7.0 & 7.1 to 7.2
    ... to get Flash & Shockwave to work on a FreeBSD installation. ... I have not been able to figure out how a custom kernel could be ... Portsnap only updates the ports tree, ... upgrade I am supposed to provide the GENERIC kernel in /boot. ...
    (freebsd-questions)
  • Re: Cant install networking.
    ... That simply means that you're running the linux kernel, ... One great thing about debian is ease of upgrade -- it is quite easy to ... use several-year-old installation CDs to gain network access, ... >>etc work can greatly facilitate the installation process as well as ...
    (Debian-User)
  • Re: messed up upgrade 7.0 & 7.1 to 7.2
    ... to get Flash & Shockwave to work on a FreeBSD installation. ... I have not been able to figure out how a custom kernel could be ... not the installed ports themselves. ... upgrade I am supposed to provide the GENERIC kernel in /boot. ...
    (freebsd-questions)
  • Kernel 2.4 and ASRock
    ... I've hit a problem with my Linux installation - in that I upgraded to the ... kernel from backports.org and my system hangs during boot. ... during boot with an infinate amount of "Lost Interrupt" errors on my IDE ... K7S8X MB) - and that it is fixed with the 2.6 BIOS upgrade. ...
    (Debian-User)
  • Re: upgrade of etch from beta2 net install to current level
    ... Etch using grub>was installed this past spring 2006 with a 2.6.12 kernel from the>beta2 network installation CDROM. ... > Since I now have ADSL,>I tried to upgrade etch with aptitude update and aptitude upgrade. ... I can get to the Linux partition with the rescue mode of the original network installation CDROM for etch with kernel 2.6.15. ...
    (Debian-User)