LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stable kernel 2.6.25.11

Stable kernel 2.6.25.11

Posted Jul 14, 2008 11:51 UTC (Mon) by nix (subscriber, #2304)
In reply to: Stable kernel 2.6.25.11 by PaXTeam
Parent article: Stable kernel 2.6.25.11 

Well, Greg or someone on the stable team will have to answer that, but the 
stable team's job as I've always understood it is to aggregate changes 
that other people send them that might have stability impact and release 
them, *not* to engage in analyses of those changes. If the original 
committer doesn't say that something has security impact, there's no 
guarantee that anything will in the stable tree either. It's not as if 
they're getting paid for doing this (and I'd appreciate it if you didn't 
annoy them so much that they stopped doing it: having no stable tree at 
all would be much worse than having one without CVE info).

Maybe this is not ideal but, as far as I know, it's the way things are. 
(If I'm talking rubbish, someone who knows will doubtless comment.)

(Log in to post comments)

Stable kernel 2.6.25.11

Posted Jul 14, 2008 12:16 UTC (Mon) by PaXTeam (subscriber, #24616) [Link] 

> *not* to engage in analyses of those changes

FYI, Documentation/stable_kernel_rules.txt says among others:

  - Security patches will be accepted into the -stable tree directly from the
    security kernel team, and not go through the normal review cycle.
    Contact the kernel security team for more details on this procedure.

i.e., the stable guys don't need to "engage in analyses".

> If the original committer doesn't say that something has security
> impact, there's no guarantee that anything will in the stable tree
> either.

and what if he says so? did you even bother reading the commit i pointed out? it has the
following trigger words (that's already a surprise considering how they're suppressed
normally, just look at this .25.11 stable release commit itself): 'oops', 'integer
wraparound', 'when you don't have permissions'. the question you should be asking is why this
commit wasn't forwarded to the stable people for inclusion.

> It's not as if they're getting paid for doing this

they are. every one of them is employed by Novell/Red Hat/etc and gets paid to do Linux work,
including stable work. the hobby (free time) linux hacker myth has been dead for over a
decade.

> and I'd appreciate it if you didn't annoy them so much that they stopped
> doing it:

that's not how things work in real life.

> having no stable tree at all would be much worse than having one without
> CVE info

and what about having a stable tree without, err, actual stable fixes? you know, like the one
i pointed out.

Stable kernel 2.6.25.11

Posted Jul 14, 2008 12:46 UTC (Mon) by nix (subscriber, #2304) [Link] 

>> having no stable tree at all would be much worse than having one
>> without CVE info
> and what about having a stable tree without, err, actual stable fixes? 
> you know, like the one i pointed out.

If the change wasn't forwarded to stable@, it won't get considered unless 
the stable@ guys happen to spot it by chance.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds