Hi,
On Mon, Apr 18, 2011 at 11:39:18AM +0200, intrigeri wrote:
> Hi,
>
> Input data:
>
> - a great number of Tails 0.7 users are affected by Debian bug
> #618665 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618665)
> - this bug is fixed in an updated kernel that is available in the
> squeeze-proposed-updates repository, but not in the main Squeeze
> repository yet
> - the DHCP software shipped in Tails 0.7 is affected by a remote
> arbitrary code execution flaw (DSA-2216)
>
> => I think we should prepare and publish a 0.7.1 release that would
> fix these bugs, presumably using the updated kernel from s-p-u.
>
> On the other hand, as stated in our design document, we generally want
> to ship the latest kernel available in Debian backports for better
> hardware support; we can expect 2.6.38 to reach backports pretty soon:
>
> http://lists.debian.org/debian-backports/2011/04/msg00027.html
>
> So I'm not sure what we should do.
>
> What do you think? Shall we wait for 2.6.38 to be available in
> backports and ship it in 0.7.1? Does it seem robust and tested enough
> for our needs?
This is a tough question! I'd be in favor to update asap, as this pointer bug
seems to happen a lot, and the DSA is quite serious.
However, the kernel choice sure isn't easy. Seems like the last 2.6.38
upstream stable (.4) happened 4 days ago, and this kernel is included in
stable since a month or so into Debian unstable. There's no bug report on
it in the Debian Bug Tracker.
I think it might be a bit soon to ship this kernel into tails yet. Sounds
like it'd need some more testing, but maybe I'm wrong. Do others here run
this kernel since some times?
bert.
