> On Mon, Jan 16, 2006 at 12:48:33PM -0600, Josh Boyer wrote: > > > I agree that kernels in extras is not a good idea. However, you have > the > > same security issues with kernel _modules_ in extras. Think OpenAFS > > security issue, etc. > > With modules its less of a concern, as that usually means on the day > it gets fixed upstream, a maintainer can respin a package with the > fix-de-jour. For a kernel however, it's a lot more painful, as it > a) takes longer to build > b) takes longer to test (sometimes security fixes have knock-on > consequences which can have dire consequences, such as being > unable to boot in certain configurations) > c) requires every kernel module package to need to be rebuilt too. Sure, I was just saying that it's still a concern. <snip perfectly valid point> > > Davej, I sympathize with you but you might want to start making "What > > kernel module packages from Extras do you have installed?" a standard > > question in your bug reports. > > In the cases of oopses, I already get that info. It's the non-oops > bug-reports that are a problem, and asking users at times isn't > a sure-fire way to find out. I've seen reports where users have > claimed never to have loaded a binary module, and have editted > out the 'tainted' part of a kernel oops, despite leaving other > telltale signs that they had in fact loaded vmware, nvidia etc.. Ew... People are manually mucking with that? Sounds like bugzilla needs a YOUREAWANKER resolution for folks that do that. Anyway, sounds like you have it under control as usual. Here's to hoping your bug reports don't increase too much with Extras modules :). josh -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
