Re: [ANNOUNCE] linux-stable security tree
From: Eddie Chapman
Date: Tue Apr 12 2016 - 08:39:05 EST
I'd like to add my 2c here as a mere user of many of the stable trees
for many years in my projects.
The stable trees are excellent. The quality of the people selecting
patches and the selection process is excellent. I've rarely been on the
bad end of a regression. I've always used stable kernels in virtually
all my own projects, as well as many clients' projects.
I agree with a lot of what Greg and Willy have said here. There are
plenty of examples of quite serious, non-security related (yes I know
defining security/non-security is problematic) bugs being fixed in
stable releases. IMO you deserve everything you get if you only applied
the fixes in Sasha's new tree and ignored the stable releases completely.
None-the-less, I applaud and thank Sasha for this new effort, and I
personally will find it very useful. Yes, the lines between bug fix and
security fix are very blurred, and so this tree won't have every
"security" fix. But I believe and trust it *will* at least contain fixes
for bugs that have the most severe security impact.
Where I will find this very useful is in having a "place" where I can
see what are probably the most important security fixes applicable to
the stable trees I am interested in. Because if I may offer one
criticism of the kernel stable trees in general, it is that it is very
hard to find and identify fixes for known security vulnerabilities.
Whenever I want to update the kernel in one of my projects, I find
myself having to hunt around a lot for information, stringing together
bits from bug reports, mailing lists, git commits, to track down whether
or not a particular vulnerability is fixed in a stable tree. Not
always, sometimes it is very clear that a particular fix in a particular
stable release fixes a known vulnerability, especially with commits e.g.
referencing CVEs in the header or commit message. At other times there
might be absolutely nothing in the fix to indicate this fixes a known
vulnerability.
So anything which improves visibility, which this certainly does, is a
good thing in my opinion.
Eddie