Linux 2.4.37.10 + 2.4 EOL plans

Linux 2.4.37.10 + 2.4 EOL plans

[Willy Tarreau]

Hi all,

This is the 10th fixup release of kernel 2.4.37. Most changes concern
relatively minor issues as well as a few medium security issues affecting
some specific areas (sctp, irda, jfs). Most likely, very few people are
concerned. The full (still short) changelog is provided at the end of this
mail.

Some of you have noticed that the last update was released 7 months ago.
This is long, but these days, very few of the issues reported on 2.6 also
affect 2.4, so basically the number of bug reports on 2.4 fades out quite
fast. Also, I generally prefer not to release a kernel just for a single
non-critical patch, especially if we consider that 2.4 users generally
wait a few weeks to a few months before upgrading. Since quite a bunch of
fixes started to pile up, I thought it was time to release a new one.

I've realized that I only have a few 2.4-based systems left in production,
and that my other systems are now running fine with long-term supported
2.6.27 and 2.6.32 kernels. At my company, we're still shipping our load
balancers with a 2.4 kernel, but we're considering upgrading to 2.6 for a
next release, so even there I won't have many reasons to work on 2.4. All
these clues should ring a bell for those of you still relying on 2.4...

So what I'm planning to do for next releases is to automatically stop
providing updates one year after the last update. What this means is that
if there are important fixes to merge, they will shift the end of support
date for one new year, but if nothing important happens during one whole
year, that proves the code is stable enough to fly by itself, and you don't
need any update anymore. This is not a rigid rule though and I still decide
whether something has to be fixed or not. If I collect some non-important
patches, I'll queue them up but not emit a release for them. If something
critical happens, then I'll emit a new release. If that happens after one
year of silence, it is possible that I'll still emit a release, without
shifting the end of life date further.

So I'm releasing 2.4.37.10 here. If nothing happens before September 2011,
it's possible that there won't be any 2.4.37.11 at all. By that time, the
2.6 kernel will have been available for almost 8 years, this should have
been enough for anyone to have a look at it. Users now have one year to
migrate or to report critical bugs. I think that's a honnest deal. After
all, if users are able to report critical bugs for 5 years so that I have
to maintain it for that long, at least I'm doing it for a good reason, so
that's not a problem for me.

There's no need to hurry, but the upgrade should seriously be considered.

At one point, I envisaged to start a 2.4.38 with a bunch of updated drivers.
Now I'd prefer that the users migrate to 2.6. However, I do have a good set
of updated/backported drivers available (my own kernels boot on about every
hardware I find today), so if some users are interested, I'll take some time
to put the updates online.

The patch and changelog will appear soon at the following locations:
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/patch-2.4.37.10.bz2
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.10

Git repository:
   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.4.37.y.git
  http://www.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.4.37.y.git

Git repository through the gitweb interface:
  http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git


Summary of changes from v2.4.37.9 to v2.4.37.10
============================================

Dave Kleikamp (1):
      jfs: don't allow os2 xattr namespace overlap with others

Neil Horman (1):
      sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)

Pavel Emelyanov (1):
      irda: Sock leak on error path in irda_create.

Stefan Seyfried (1):
      FAT: do not continue in fat_get_block if bmap fails

Sylvain Rochet (2):
      drivers/tun: MTU change for TUN/TAP interfaces
      net: permanent NUD pins ethernet interfaces when ATM is compiled in.

Wei Yongjun (2):
      sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set
      SCTP: Fix to encode PROTOCOL VIOLATION error cause correctly

Willy Tarreau (2):
      irda: correctly free memory on irda_bind() failure
      Change VERSION to 2.4.37.10

Re: Linux 2.4.37.10 + 2.4 EOL plans

[Willy Tarreau]

On Tue, Sep 14, 2010 at 03:19:54PM -0700, Yuhong Bao wrote:
> 
> OK, I will bite.
> Why are you still using kernel 2.4?

One word : stability.

Many people don't need all the fancy new features of 2.6 and can't afford
to reboot their systems every two weeks to apply the last bunch of fixes.
It's quite common to encounter 2.4 systems with 2 years of uptime in
production. Some users even ship it in embedded products where it's
impossible to update the system after it's shipped (no internet connectivity).
With 2.4, they're assured they won't encounter stability problems.

Some other users still use it for security reasons. 2.6 offers a wider
attack vector range and in practice, new locally exploitable vulnerabilities
are discovered every few weeks-months. I'm not saying that there aren't on
2.4, but since the code is frozen, it's been long since we last got one and
there's no reason to introduce new ones.

In fact, 2.4 is now occupying a similar place as OpenBSD : the type of
system you install once and never touch anymore.

Regards,
Willy