Re: Which version of 2.6.11 is most stable

[Adrian Bunk <bunk@stusta.de>]

On Fri, Nov 11, 2005 at 09:49:08PM -0600, Rob Landley wrote:
> 
> One question I've wondered about for a bit...
> 
> The diff between each dot release (ala 2.6.12.0->2.6.12.1) can theoretically 
> be backported to an older kernel.  So in theory, at least some of the new 
> security fixes can be applied to older kernels.  (Yeah, this necessarily 
> complete.  Whether or not the patch makes any sense at all in the older 
> context, and whether or not that's everything they need to do...  That's a 
> seperate issue.  It allows some minimal, relatively straightforward 
> maintenance to be done on systems that are stuck with older kernels by 
> management fiat.
> 
> The gap is the jump to the next major release.  Suppose that 2.6.15 makes it 
> up to 2.6.15.10, and then 2.6.16 comes out.  Are there any security fixes in 
> 2.6.16 that weren't in 2.6.15.10?  Fixes which would have been in a 2.6.15.11 
> if the next big release had been delayed another two weeks?
> 
> From a practical standpoint, somebody stuck on 2.6.15 for another six months 
> is likely to at least try to apply the next security update (the diff between 
> 2.6.16->2.6.16.1) to their old kernel, but are they missing a week or two's 
> worth of security fixes?

They miss a completely undefined amount of fixes.
Consider e.g. the case that 2.6.16 contains fixes that are later 
identified as possible security issues.

The 2.6.16->2.6.16.1 patch fixes bugs in 2.6.16 - trying to apply it to 
a 2.6.15 kernel might both leave security holes and add new breakages.

> I'm trying to clarify what my question is:  When a new stable kernel comes 
> out, do the dot-release guys do one more release of security-only fixes to 
> patch all the known vulnerabilities that the new one addressed before moving 
> on?  Or do they just leave a gap and say "upgrade"?

There is no last dot-release - and it wouldn't help.

If you are running ftp.kernel.org kernels you have to upgrade to the 
latest one or you will definitely miss security fixes.

If this is a problem for you stay with distribution kernels - 
distributions offer exactly the service of security fixes for their 
kernels for a well-defined amount of time.

> Rob

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed