opened 12:39PM - 09 Nov 23 UTC
Ding dong. First and the biggest problem with Debian: package freezing. On some …other distros like Fedora, developers are aware of the security implications of freezing packages. Thats why fedora freezes packages, but they don't freeze the kernel, and they don't freeze firmware.
Debian freezes firmware updates between point releases. Ouch. This is supposedly for 'testing'. But this more of a joke really. Because what are you testing? What are you going to do, it is non-free to begin with. Like, there is no point.
My solution: let's port these from sid, by default. I know it is not recommended to make 'FrankenDebian' or whatever, but we already are distromorphing, this is only just the kernel, which is the most backported thing in the universe. The counter argument here can be: oh no the debian security team does not give priority to sid. And this argument would be very moot, because the debian security team does not give any priority to non-free firmware on any of their distros at all, [anyway](https://www.debian.org/security/faq#contrib). They just don't do anything. But they still freeze it still, for some reason.
And for the kernel, we really don't need the debian security team to do them security patches. The upstream kernel maintainers are the ones that recognize the security issues and fix them in the first place anyway. And since we are going to get the latest stable release, we are still going to be way faster to receive security updates, along with other bug fixes, which might also impact security, despite not receiving a CVE. All bugs are bad, and can be used against the user. Only patching CVE's is not the best approach, especially for the kernel.
Backport the kernel, backport the firmware. I will go ahead and raise you a more radical solution. It does not take a super genius to compile a kernel. It does not take a genius to write a pipeline to compile the kernel. A buildservice can also be used. The more radical solution is, we do our own kernel. We, as in actually you the maintainer, and not we the user. We won't do any complicated patches that would require review before compile. Just gonna compile with the hardened sysctl defaults, include the non free firmware, sign them all with kicksecure keys, and ship them in a deb package. I tell you. You want big security, this is big security, without having to change the base repo. If you don't trust yourself to maintain this, let's just packport these. Let's go. Waiting for counter arguments if any.