Re: [ANNOUNCE] linux-stable security tree

[Eddie Chapman]

On 12/04/16 13:52, Willy Tarreau wrote:
> On Tue, Apr 12, 2016 at 01:31:21PM +0100, Eddie Chapman wrote:
> > None-the-less, I applaud and thank Sasha for this new effort, and I
> > personally will find it very useful.  Yes, the lines between bug fix and
> > security fix are very blurred, and so this tree won't have every "security"
> > fix. But I believe and trust it *will* at least contain fixes for bugs that
> > have the most severe security impact.
>
> It will only contain them if they are already in the respective stable trees,
> which means that when I miss a fix (common), it won't appear there either.
> At first I thought "oh cool, a repository of known things that must absolutely
> be fixed, that will help me do my backports" and in the end I fear it will be
> blindly used by end users who don't understand what they're missing but who
> still believe they limit the risk of upgrades. Just this morning I saw a
> report of a user saying that haproxy crashes is 2.6.24 kernel which is
> "otherwise perfectly stable and achieves multi-years uptime"... Imagine
> what such users will do when backporting fixes into they multi-thousands-bugs
> kernel!

Yes, agreed. I'm sure it's not going to be an exhaustive, complete 
repository.  But I think it is better than no repository. And I think 
you are right there is a risk some will use it blindly. However, it 
seems to me if they make this mistake then by definition they were 
probably already screwed with regards the issues we're discussing here, 
so things can't really effectively get any worse. So by blindly applying 
a small tree of what have already been regarded as important fixes their 
situation might then be upgraded from 100% screwed to maybe only 70% 
screwed.