From: Sasha Levin <sasha.levin@oracle.com>
To: Greg KH <greg@kroah.com>
Cc: Willy Tarreau <w@1wt.eu>, Jiri Slaby <jslaby@suse.cz>,
LKML <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>,
lwn@lwn.net
Subject: Re: stable-security kernel updates
Date: Thu, 21 Apr 2016 10:01:29 -0400 [thread overview]
Message-ID: <5718DD39.40808@oracle.com> (raw)
In-Reply-To: <20160421123631.GA19248@kroah.com>
On 04/21/2016 08:36 AM, Greg KH wrote:
> On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote:
>> Hey Willy,
>>
>> On 04/21/2016 03:11 AM, Willy Tarreau wrote:
>>> This illustrates exactly what I suspected would happen because that's the
>>> same trouble we all face when picking backports for our respective trees
>>> except that since the selection barrier is much higher here, lots of
>>> important ones will be missing
>>
>> Right. I fully agree that there will be important security commits that'll
>> get missed, whether because they were missed in the stable selection or
>> the stable-security selection.
>>
>> I'd like to point out again that updating the entire stable tree is the
>> preferable way to patch against security (and non-security) issues.
>
> s/preferable/only/ :)
Really? Even though as I showed updating your stable tree religiously would
still leave you vulnerable to "ancient" privesc exploits?
If anything, the *only* way is updating the entire kernel tree.
>> The
>> stable-security tree is a best-effort solution to provide a stop-gap in
>> between said stable tree updates.
>
> What are you "stop-gapping" then? The 7-10 days between stable
> releases?
In a perfect world where everyone has a team of kernel hackers on hand
reviewing stable commits, verifying the resulting kernel doesn't regress
their product, and fixes existing regressions for their product it might
be 7-10 days.
In the real world, this process takes much longer.
Doing a full rebase of the kernel tree is a much more costly process than
cherry picking a handful of security commits.
Thanks,
Sasha
next prev parent reply other threads:[~2016-04-21 14:02 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 19:50 stable-security kernel updates Sasha Levin
2016-04-21 6:43 ` Jiri Slaby
2016-04-21 7:11 ` Willy Tarreau
2016-04-21 11:27 ` Sasha Levin
2016-04-21 12:36 ` Greg KH
2016-04-21 14:01 ` Sasha Levin [this message]
2016-04-21 14:12 ` Willy Tarreau
2016-04-21 11:11 ` Sasha Levin
2016-04-21 11:59 ` Jiri Slaby
2016-04-21 12:05 ` Jiri Slaby
2016-04-21 12:39 ` Greg KH
2016-04-21 12:50 ` Willy Tarreau
2016-04-21 13:54 ` Sasha Levin
2016-04-21 14:13 ` Jiri Slaby
2016-04-21 14:19 ` Willy Tarreau
2016-04-21 14:27 ` Sasha Levin
2016-04-21 14:33 ` Willy Tarreau
2016-04-25 23:14 ` Ben Hutchings
2016-04-26 4:40 ` Willy Tarreau
2016-04-26 4:40 ` Willy Tarreau
2016-04-21 13:53 ` Sasha Levin
2016-04-21 14:54 ` Jiri Slaby
2016-04-21 15:50 ` Sasha Levin
2016-04-21 19:32 ` Sasha Levin
2016-04-21 12:26 ` Bjørn Mork
2016-04-21 12:56 ` Willy Tarreau
2016-04-21 14:16 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5718DD39.40808@oracle.com \
--to=sasha.levin@oracle.com \
--cc=greg@kroah.com \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=lwn@lwn.net \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.