Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05

* Philip Paeps <philip@freebsd.org> [20231207 23:44]:
> > I strongly assume the full freebsd-upgrade procedure will also upgrade
> > the kernel to -p7. If it doesn't, there's a more troubling issue
> > somewhere...
> 
> This assumption is wrong.  freebsd-update builds only build what has
> changed.  If a security patch does not affect the kernel, the kernel is not
> rebuilt.

I'm pretty sure it isn't. As soon as there *is* a change to the kernel,
a new kernel is built and it will have the same version as the userland.

"Diverging" versions of kernel and userland are only possible as long as
there are no changes to the kernel. But these latest patches affected
the kernel.

> We've had this conversation before.  I believe the conclusion at the time
> was that there are no good answers and we can't have nice things.
> 
> Tracking userland versions in vuxml breaks things for people running
> freebsd-update.  Tracking kernel versions hides vulnerabilities for people
> upgrading from source.
> 
> We (security team) won't push kernel updates (and require users to reboot)
> for vulnerabilities that only affect userland, only to show a higher number.
> That would be silly.

Of course not. But this time, the kernel is affected?

Cheers, Felix

-- 
 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer --                     {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231