Date: Thu, 7 Dec 2023 16:53:31 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: Dan Langille <dan@langille.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Message-ID: <sw77chw5v3nczlcrkhv7hl7vu6sucf5ozbyp2fps7lehixo7rs@mlwaoptf7hbr> In-Reply-To: <D5B534F6-FA63-4941-9BD0-3C0F662D3E3E@freebsd.org> References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> <d532ec63-66fc-410d-b397-7170a34a5f30@app.fastmail.com> <BD01492D-CF73-4A7F-8FCF-6236D25BDA1E@freebsd.org> <01372e6b-0e2d-4249-9f36-fdb24b380c71@app.fastmail.com> <1A46BB39-EBBA-4E02-97A4-860DD9608000@freebsd.org> <a2wecgnuc3hcg6vekqfuskpaa6p4xaicad6563r34og4l24ur2@vd3kjplqluwg> <D5B534F6-FA63-4941-9BD0-3C0F662D3E3E@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--7svcvpoh6eaikkd2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Philip Paeps <philip@freebsd.org> [20231207 23:44]:
> > I strongly assume the full freebsd-upgrade procedure will also upgrade
> > the kernel to -p7. If it doesn't, there's a more troubling issue
> > somewhere...
>=20
> This assumption is wrong. freebsd-update builds only build what has
> changed. If a security patch does not affect the kernel, the kernel is n=
ot
> rebuilt.
I'm pretty sure it isn't. As soon as there *is* a change to the kernel,
a new kernel is built and it will have the same version as the userland.
"Diverging" versions of kernel and userland are only possible as long as
there are no changes to the kernel. But these latest patches affected
the kernel.
> We've had this conversation before. I believe the conclusion at the time
> was that there are no good answers and we can't have nice things.
>=20
> Tracking userland versions in vuxml breaks things for people running
> freebsd-update. Tracking kernel versions hides vulnerabilities for people
> upgrading from source.
>=20
> We (security team) won't push kernel updates (and require users to reboot)
> for vulnerabilities that only affect userland, only to show a higher numb=
er.
> That would be silly.
Of course not. But this time, the kernel is affected?
Cheers, Felix
--=20
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231
--7svcvpoh6eaikkd2
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXHqe18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz
NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny
MaKqAPsGeAJF0u+NLiOhOnO5t84MLnA0Y8VzY2nf7TJwZt9H1AEAxPgiKeZDu/jI
JgCiGOKQdJY8uIrkBMsNfg0B/lvBhQU=
=l8bD
-----END PGP SIGNATURE-----
--7svcvpoh6eaikkd2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sw77chw5v3nczlcrkhv7hl7vu6sucf5ozbyp2fps7lehixo7rs>