* Backporting stacked security patch @ 2018-10-30 11:43 Lev Olshvang 2018-10-30 14:33 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Lev Olshvang @ 2018-10-30 11:43 UTC (permalink / raw) To: kernelnewbies Hi All, I week ago I asked the list about kernel 4.2 stacked security patch location , but Greg strongly advised me against, without going into details. I highly appreciate Greg advice, and I know he is a very busy person. Unfortunately I do not have a choice to upgrade kernel, and I am asking again : - what are major challenges of a such backport ? Does kernel security changed so much between 3.18 and 4.2 ? The link is https://kernelnewbies.org/Linux_4.2#Stacking_of_security_modules Regards, Lev ^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch 2018-10-30 11:43 Backporting stacked security patch Lev Olshvang @ 2018-10-30 14:33 ` Greg KH 2018-10-30 18:19 ` Lev Olshvang 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2018-10-30 14:33 UTC (permalink / raw) To: kernelnewbies On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote: > Hi All, > > I week ago I asked the list about kernel 4.2 stacked security patch location , but > Greg strongly advised me against, without going into details. > I highly appreciate Greg advice, and I know he is a very busy person. > Unfortunately I do not have a choice to upgrade kernel, and I am asking again : > - what are major challenges of a such backport ? > Does kernel security changed so much between 3.18 and 4.2 ? $ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l 48573 That's over 48 thousand changes between those kernels. That's a non-trivial thing to review and backport only parts of it. And if you were to backport only parts of it, then you would be dealing with a kernel that only you can support, not the company/vendor that is forcing you to stick with 3.18. Why not ask them to do this work for you as they are the ones you are paying for this type of work already? Also, why 3.18? That's a very old and obsolete kernel already, never use that for any new type of device, you are guaranteed to have problems with it as I'll probably stop doing security updates for it any week now... good luck! greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch 2018-10-30 14:33 ` Greg KH @ 2018-10-30 18:19 ` Lev Olshvang 2018-10-30 21:17 ` valdis.kletnieks at vt.edu 2018-10-31 6:50 ` Greg KH 0 siblings, 2 replies; 5+ messages in thread From: Lev Olshvang @ 2018-10-30 18:19 UTC (permalink / raw) To: kernelnewbies Hi Greg, Thanks for a reply. While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,. There are 7 commits, and 2 of them is about comments and one about file deletion. I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed. So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor stacking Perhaps I am overlooking some basic issue ? As I stated, I have no option to come to customer and ask to upgrade his kernel, but I will try to put his attention to mentioned by you cease of security updates. Best Regards Lev 30.10.2018, 17:32, "Greg KH" <greg@kroah.com>: > On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote: >> ?Hi All, >> >> ?I week ago I asked the list about kernel 4.2 stacked security patch location , but >> ?Greg strongly advised me against, without going into details. >> ?I highly appreciate Greg advice, and I know he is a very busy person. >> ?Unfortunately I do not have a choice to upgrade kernel, and I am asking again : >> ?- what are major challenges of a such backport ? >> ?Does kernel security changed so much between 3.18 and 4.2 ? > > $ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l > 48573 > > That's over 48 thousand changes between those kernels. That's a > non-trivial thing to review and backport only parts of it. > > And if you were to backport only parts of it, then you would be dealing > with a kernel that only you can support, not the company/vendor that is > forcing you to stick with 3.18. Why not ask them to do this work for > you as they are the ones you are paying for this type of work already? > > Also, why 3.18? That's a very old and obsolete kernel already, never > use that for any new type of device, you are guaranteed to have problems > with it as I'll probably stop doing security updates for it any week > now... > > good luck! > > greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch 2018-10-30 18:19 ` Lev Olshvang @ 2018-10-30 21:17 ` valdis.kletnieks at vt.edu 2018-10-31 6:50 ` Greg KH 1 sibling, 0 replies; 5+ messages in thread From: valdis.kletnieks at vt.edu @ 2018-10-30 21:17 UTC (permalink / raw) To: kernelnewbies On Tue, 30 Oct 2018 21:19:08 +0300, Lev Olshvang said: > As I stated, I have no option to come to customer and ask to upgrade his > kernel, but I will try to put his attention to mentioned by you cease of > security updates. If you can't get him to upgrade the installed kernel, it's not worth your effort to backport patches. And just updating the patches to the 4.2 level doesn't do your customer any favors, as there's been a lot of security patches between 4.2 and 4.19. And many of the important ones do *NOT* apply to the security/ branch of the tree - it's stuff like the Spectre fixes that show up elsewhere in the tree, networking fixes that resolve "packet of death" issues, and so on. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 486 bytes Desc: not available URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181030/70f0f4ef/attachment.sig> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch 2018-10-30 18:19 ` Lev Olshvang 2018-10-30 21:17 ` valdis.kletnieks at vt.edu @ 2018-10-31 6:50 ` Greg KH 1 sibling, 0 replies; 5+ messages in thread From: Greg KH @ 2018-10-31 6:50 UTC (permalink / raw) To: kernelnewbies On Tue, Oct 30, 2018 at 09:19:08PM +0300, Lev Olshvang wrote: > Hi Greg, > > Thanks for a reply. > > While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,. > There are 7 commits, and 2 of them is about comments and one about file deletion. Try them and see! :) > I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in > SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed. > > So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor > stacking > > Perhaps I am overlooking some basic issue ? Why are you "allowed" to change a core part of how the kernel works, but not able to update to a newer kernel version? What keeps people from being even more worried about that? The fact that a number does not change? Realize that what you are attempting to do is create a kernel that no one else has ever tested or run before, so it is only up to you to get everything correct. And it is up to you to support that beast on your own, good luck! :) greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-31 6:50 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-10-30 11:43 Backporting stacked security patch Lev Olshvang 2018-10-30 14:33 ` Greg KH 2018-10-30 18:19 ` Lev Olshvang 2018-10-30 21:17 ` valdis.kletnieks at vt.edu 2018-10-31 6:50 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).