iptables and patch-o-matic
Rocco Stanzione
grasshopper at linuxkungfu.org
Tue Jan 10 19:28:34 UTC 2006
On Tuesday 10 January 2006 12:41, Matt Zimmerman wrote:
> One of the explicit goals of our kernel packaging methodology has been to
> strictly limit the number of other packages which need to be rebuilt when
> the kernel changes. This is especially important when considering that
> security updates to the kernel are common in a stable release. Currently
> affected by kernel transitions in stable releases are:
>
> - linux-source-x.y.z, the kernel itself
> - linux-restricted-modules-x.y.z, modules which must be shipped separately
> due to restrictive licensing
> - linux-meta, the kernel metapackages which manage transitions
>
> Adding iptables to this list would add to the existing burden imposed by
> kernel security updates. I'd also be concerned about kernel updates
> causing iptables to fail to build.
>
> Can we find a way to keep it up to date with kernelspace while avoiding
> these issues?
The alternative is to keep the copy of the kernel headers used to build
iptables current with the kernel package, and to maintain the patch-o-matic
patches between the two packages. Patches made to iptables without patching
the kernel don't do any good (see bug 16831). Trivial changes to the kernel
won't usually require an update to the iptables copy to maintain
compatibility, but when we're upgrading to a new kernel (as opposed to a
bugfix release) the two should be synced up again.
The reasons you listed for not establishing a dependency link between the two
packages make sense, and I figured that's why it was done this way. My
counter-argument is that the way we do it now just plain doesn't work, and
the alternative I just described would arguably put a heavier maintenance
burden on the packagers. Pruning the kernel source tree down to just what
you need is likely to be a recurring problem as the list of required files
changes. Patching the two trees (iptables and the kernel) separately, and
maintaining them separately, represents duplication of effort and will
require ongoing communication and cooperation among the maintainers.
Honestly, either solution is fine with me, but having worked in a system where
the two packages were linked, it strikes me as the easiest and most correct
solution.
Thanks,
Rocco
More information about the kernel-team
mailing list