LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel development without kernel.org

By Jonathan Corbet
September 13, 2011
The security problems at kernel.org have raised concerns about the kernel source and other software hosted there. There has been no evidence, so far, that kernel.org was used to distribute any corrupted software. But there is another aspect to this breakin: kernel.org is "down for maintenance" and there is no word as to when it might come back. As a result, even if no malware was distributed, the kernel.org crack represents a denial of service attack of significant proportions.

Linus has released two 3.1-rc versions from a temporary site at Github, but there's not a lot of work to be found there. Among other things, the loss of all the repositories hosted on kernel.org means that there is relatively little for him to pull. Stephen Rothwell, meanwhile, continues to pull the trees he can reach to create linux-next. He is able to report integration and build problems, but cannot put the tree where others can reach it. "Besides, I am having a nice restful time." There have been no stable tree updates since kernel.org went down.

Alternative trees are beginning to pop up across the net as developers find other places to host their work for now. If the kernel.org outage continues for some time, we can expect to see many more of those show up - though some developers are refusing to set up alternative repositories. Most of the substitute trees are described as temporary; it will be interesting to see how many of them actually move back to kernel.org once this episode has run its course. Some developers may decide that keeping their trees elsewhere works better for them. We may have a distributed source control system, but it has become clear that the kernel community works with a rather centralized hosting and distribution infrastructure.

The loss of kernel.org has slowed things enough to make it clear that the process has a single point of failure built into it. Whether that is worth fixing is not entirely clear; no code should have been lost and, if kernel.org were ever to disappear permanently, the process could be back to full speed on other systems in short order. For now, though, we're seeing things disrupted in a way few other events have been able to manage. It's interesting to ponder on what would have happened had the compromise come out during the merge window.

(Log in to post comments)

Kernel development without kernel.org

Posted Sep 15, 2011 15:29 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Don't be so hard !
kernel.org has been up and running for over 10 years or so no?
So, with a rough 10 days downtime, that's (1-10/3650) = 99,7% availability in presence of malicious faults.
OK, that figure is going to drop until the site comes up again but, well... I wish other sites had the same result personnally; and the figure will start to go up again as soon as the site comes back online.

Furthermore, 100% availability did not look serious. Enjoy the holiday while that security benchmark finally gets a true run.
;-)

Kernel development without kernel.org

Posted Sep 15, 2011 19:20 UTC (Thu) by klossner (subscriber, #30046) [Link]

This "holiday" occurs just as students in the U.S. are preparing to return to college. I had planned to fix a suspend/resume bug on my daughter's laptop, but I cannot access the necessary patches. Now she'll have to live with the problem until the real holidays come this winter.

Kernel development without kernel.org

Posted Sep 15, 2011 19:24 UTC (Thu) by klossner (subscriber, #30046) [Link]

Ironically, when she returns to campus, she'll be within a couple of blocks of the machines that host the patches that she needs. If only I could knock on the door, USB stick in hand ...

Kernel development without kernel.org

Posted Sep 15, 2011 22:39 UTC (Thu) by jmalcolm (guest, #8876) [Link]

SSH is not an option?

Kernel development without kernel.org

Posted Sep 16, 2011 4:12 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link]

Just think of it as an opportunity for your daughter to learn how to compile and install her own kernel instead of depending on you to do it. If the bug is a real pain, it may even provide her with some needed motivation.

Kernel development without kernel.org

Posted Sep 16, 2011 18:47 UTC (Fri) by yokem_55 (subscriber, #10498) [Link]

I usually follow the git stable trees for my workstation's kernel and I had to resort to manually patching a checkout of the 3.0 tag from linus's gitorious. Worked, but it would be nice if there was a stable kernel git somewhere....

Kernel development without kernel.org

Posted Sep 20, 2011 18:19 UTC (Tue) by zooko (subscriber, #2589) [Link]

Didn't our Dear Editor's blog entry on linux.com say something like "kernel.org may appear to be a hub of development, but it is really more of a hub of distribution."? I can't double-check because linux.com is down due to being compromised...

Kernel development without kernel.org

Posted Sep 20, 2011 18:38 UTC (Tue) by jrn (subscriber, #64214) [Link]

That is how I thought it worked, too. Unfortunately, bugzilla.kernel.org, wiki.kernel.org, and stable@kernel.org are all very useful for development and all down with no fallback I know of.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds