Dropping i386 non-PAE as a supported kernel flavour in Precise Pangolin

Kees Cook kees at ubuntu.com
Mon Nov 28 18:44:19 UTC 2011


On Mon, Nov 28, 2011 at 09:40:53AM -0700, Tim Gardner wrote:
> non-pae has a ginormous and ugly NX emulation patch

This is about dropping non-PAE support, not dropping non-NX support. The NX
emulation patch must remain in the kernel since a large number of systems
have PAE but not NX.

You can see this in the table here:
https://wiki.ubuntu.com/Security/Features#nx
Dropping non-PAE just eliminates the top line in that table. NX-emu will
still be needed.

> that has consumed substantial maintenance resources in the past,

I'm also curious about this claim, as you've expressed to me in the past
that carrying it has been surprisingly trivial. In fact, since I'm the one
maintaining it these days, it's actually going to require 0 resources from
Canonical. ;)

http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=shortlog;h=refs/heads/nx-emu

> The kernel team has limited resources. Obviously I want to apply
> what resources we have to the problems that affect the most
> important platforms. Furthermore, I anticipate new ARM flavours in
> the coming months which will take up any slack afforded by the loss
> of non-PAE.

I'm curious why pushing non-PAE to universe and leaving it in the main
linux source package is a burden? Then people using non-PAE get automatic
security updates without any hassle on anyone's part. This is what the
Ubuntu Security Team manager wants:
https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034457.html
as well as the Ubuntu Platform Team manager wants:
https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034463.html

I'm not convinced there's enough evidence to say that dropping it from the
main linux source package will actually save any time at all.

-Kees

-- 
Kees Cook



More information about the ubuntu-devel mailing list