How to determine what's changed in new kernel?

Todd Denniston Todd.Denniston at ssa.crane.navy.mil
Thu Jul 24 21:16:43 UTC 2008


Michael Hannon wrote, On 07/24/2008 04:19 PM:
<SNIP>
>     rpm -q --changelog kernel-2.6.25.10-86.fc9.i686
> 
> This gives a lot of output, as:
> 
> * Mon Jul 07 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.9-86
> - Fix USB interrupt handling with shared interrupts.
> 
> * Fri Jul 04 2008 John W. Linville <linville at redhat.com> 2.6.25.9-85
> - Upstream wireless fixes from 2008-07-02
>   (http://marc.info/?l=linux-netdev&m=121503163124089&w=2)
> - Apply Stefan Becker's fix for bad hunk of wireless build fixups for 2.6.25
>   (https://bugzilla.redhat.com/show_bug.cgi?id=453390#c36)
> .
> .
> .
> * Fri Oct 12 2007 Dave Jones <davej at redhat.com>
> - 2.6.23-git2
> 
> * Fri Oct 12 2007 Dave Jones <davej at redhat.com>
> - Start F9 branch.
> 
> Clearly, not all of these changes apply to the transition 
> from 2.6.25.9-76 to 2.6.25.10-86.  

True, but the way I read these is:
A) find the entry with your old version (2.6.25.9-76) next to it
B) read everything above that entry.

> This makes it hard to assess the significance of that transition.
> 

Security fixes are OFTEN (not always) accompanied by the words "security" or 
"CVE-", but the only way to know if the fedora folks definitely think it is a 
security fix is to look for the [SECURITY] marker on "fedora-package-announce" 
as Michael indicated.

of course I also like lwn:
http://lwn.net/Security/
http://lwn.net/Alerts/Fedora/

> Is there some place I can find a succinct summary and evaluation 
> of the changes to the kernel?  
<SNIP>
You already have, the change log. Anything else is verbose.
And a more succinct summary as to a release being for security is looking for 
the markers Michael indicated.

Of course in the past I have seen kernels put out that happens to fix a 
security problem and yet it is not marked as a security release.


Also to have a _summary_ of what the IA security folks have been[1] thinking 
about you want to look at:
http://cve.mitre.org/

going to the following and putting "linux kernel" in the keyword search, and 
setting the "Search start date:" year field to 2008 is kind of interesting.
http://nvd.nist.gov/nvd.cfm?advancedsearch

<bad humor>
Man! any monkey can make these security decisions. :P
</bad humor>

[1] specifics of a cve is usually not made public until the experts have 
looked at it for a while.

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter




More information about the users mailing list