Releasing with a known broken kernel

Alexander Skwar listen at alexander.skwar.name
Tue Aug 15 06:25:11 UTC 2006 

ยท Gabriel M Dragffy <dragffy at yandex.ru>:

> On Mon, 2006-08-14 at 11:30 -0400, Brian McKee wrote:
>> On 14/08/06, Alexander Skwar <listen at alexander.skwar.name> wrote:
>> > Adam Conrad <adconrad at ubuntu.com>:
>> >
>> > > Alexander Skwar wrote:
>> > >>
>> > >> Kernel -25 is more stable.
>> > >
>> > > ... and also has security issues.
>> >
>> > Yes, known. But -25 works.
>> 
>> 
>> It's just a numbers game right?

Yep. It's how you weight what's important. IMO "works" has a weight of
100 and "works well" (ie. removing security holes) has a weight of 
less than 100. Thus, the game is quiet easy.

>> Security hole for all users vs. Doesn't work at all for some subset of users
>> 
>> If won't boot = 100 and security hole = 1
>> Because it's an obscure unlikely to be a problem security hole
>>   (((I'm guessing here, I don't know the details of the security issue!)))
>> 
>> multiply the numbers out and see which side wins....
>> 
>> Since I have no idea how big a percentage of the Ubuntu user base has
>> the problem
>> hardware, I can't tell you if they made the right decision, and until
>> somebody can put
>> hard numbers to this, we are all blowing smoke on this thread I think.
>> 
>> OTOH, a big notice for affected users in the release notes could have
>> been in order I suppose.
>> 
> 
> I'm glad it was released with a patched kernel even if it doesn't work.

No. It's never better to release something, which is known to *NOT*
work.

> If they released a vulnerable system then they'd be no better than MS.
> Honestly, neither situation is particularly ideal, but if push comes to
> shove then security should take precedence.

No. A non-working system is never acceptable.

> If it's a business game then 
> you would have to take the MS strategy of releasing broken stuff because
> the profits are higher, but Ubuntu isn't here just to take the biggest
> chunks of money so the business model is different. I mean what kind of
> reputation will ubuntu get if word gets around it's releasing with KNOWN
> security vulnerabilities.

And what kind of reputation will it get, when it's releasing with KNOWN
broken kernel? As I said before: It's the kernel, and becaues of that,
later updating to something workable, which is STILL not there!, is
not possible.

> Remember the bug with Breezy where the admin 
> password was stored in cleartext during install, not a pretty time.

But by far not as bad as the current situation. The "Breezy issue"
was easily resolved by doing a update after installation.

> I'm not an expert on this but from what I read it's a problem afflicting
> users with VIA chipsets. In which case if they dist-upgrade they will
> have already found out that kernel doesn't work, so should avoid the
> 6.06.1 iso. The problem is losing potential new users, perhaps a note in
> an obvious place could be set up, to alert people if they have a VIA
> chipset they're better off getting the original release for now.

To underline how, IMO, stupid the decision was, they even removed
the 6.06 image, so users really *CANNOT* use Ubuntu. See e.g. http://ubuntu-releases.cs.umn.edu//6.06/

IMO the 6.06.1 release was rushed and should be removed.

Alexander Skwar
-- 
In der Liebe gilt Schweigen oft mehr als Sprechen.
                -- Blaise Pascal

More information about the ubuntu-users mailing list