From: Eddie Chapman <eddie@ehuk.net>
To: Willy Tarreau <w@1wt.eu>, Greg KH <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sasha.levin@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>,
lwn@lwn.net
Subject: Re: [ANNOUNCE] linux-stable security tree
Date: Tue, 12 Apr 2016 13:31:21 +0100 [thread overview]
Message-ID: <570CEA99.1020101@ehuk.net> (raw)
In-Reply-To: <20160412081131.GB537@1wt.eu>
I'd like to add my 2c here as a mere user of many of the stable trees
for many years in my projects.
The stable trees are excellent. The quality of the people selecting
patches and the selection process is excellent. I've rarely been on the
bad end of a regression. I've always used stable kernels in virtually
all my own projects, as well as many clients' projects.
I agree with a lot of what Greg and Willy have said here. There are
plenty of examples of quite serious, non-security related (yes I know
defining security/non-security is problematic) bugs being fixed in
stable releases. IMO you deserve everything you get if you only applied
the fixes in Sasha's new tree and ignored the stable releases completely.
None-the-less, I applaud and thank Sasha for this new effort, and I
personally will find it very useful. Yes, the lines between bug fix and
security fix are very blurred, and so this tree won't have every
"security" fix. But I believe and trust it *will* at least contain fixes
for bugs that have the most severe security impact.
Where I will find this very useful is in having a "place" where I can
see what are probably the most important security fixes applicable to
the stable trees I am interested in. Because if I may offer one
criticism of the kernel stable trees in general, it is that it is very
hard to find and identify fixes for known security vulnerabilities.
Whenever I want to update the kernel in one of my projects, I find
myself having to hunt around a lot for information, stringing together
bits from bug reports, mailing lists, git commits, to track down whether
or not a particular vulnerability is fixed in a stable tree. Not
always, sometimes it is very clear that a particular fix in a particular
stable release fixes a known vulnerability, especially with commits e.g.
referencing CVEs in the header or commit message. At other times there
might be absolutely nothing in the fix to indicate this fixes a known
vulnerability.
So anything which improves visibility, which this certainly does, is a
good thing in my opinion.
Eddie
next prev parent reply other threads:[~2016-04-12 12:39 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-11 17:53 [ANNOUNCE] linux-stable security tree Sasha Levin
2016-04-11 18:17 ` Jeff Merkey
2016-04-11 19:01 ` Sasha Levin
2016-04-11 18:34 ` Jeff Merkey
2016-04-11 19:02 ` Richard Weinberger
2016-04-11 19:04 ` Sasha Levin
2016-04-11 19:08 ` Jeff Merkey
2016-04-11 18:41 ` Greg KH
2016-04-11 18:58 ` Sasha Levin
2016-04-11 20:09 ` Greg KH
2016-04-11 20:38 ` Sasha Levin
2016-04-11 21:17 ` Willy Tarreau
2016-04-11 22:48 ` Sasha Levin
2016-04-12 6:22 ` Willy Tarreau
2016-04-12 6:35 ` Greg KH
2016-04-12 8:11 ` Willy Tarreau
2016-04-12 12:31 ` Eddie Chapman [this message]
2016-04-12 12:52 ` Willy Tarreau
2016-04-12 13:48 ` Eddie Chapman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=570CEA99.1020101@ehuk.net \
--to=eddie@ehuk.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lwn@lwn.net \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).