Linux-Kernel Archive: [ANNOUNCE] Linux-Stable-Security Kernel Tree Announced
Linux - NewsThis forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
Linux-Kernel Archive: [ANNOUNCE] Linux-Stable-Security Kernel Tree Announced
Quote:
I'd like to announce the linux-stable security tree project. The purpose
is to create a derivative tree from the regular stable tree that would
contain only commits that fix security vulnerabilities.
Quite a few users of the stable trees pointed out that on complex deployments,
where validation is non-trivial, there is little incentive to follow the
stable tree after the product has been deployed to production. There is no
interest in "random" kernel fixes and the only requirements are to keep up
with security vulnerabilities.
Given this, a few projects preferred to delay important kernel updates, and
a few even stopped updating the tree altogether, exposing them to critical
vulnerabilities.
This project provides an easy way to receive only important security commits,
which are usually only a few in each release, and makes it easy to incorporate
them into existing projects.
In response to a question from another developer, Levin says the Linux-stable security tree project will be to catch “anything exploitable by a local unprivileged user (or better),” whether or not it's attracted the attention of Mitre and been issued a CVE.
Levin notes that he hopes to be able to maintain a security tree for all -stable branch versions that are still maintained – that is, he won't only be following the very latest kernel revision.
The project has sparked a lively discussion over at the Linux Kernel Mailing List. The two main lines of criticism so far, El Reg would summarise as: “all bug fixes are potentially security fixes if they affect the stability of the system”, and “those responsible for patching systems should have processes good enough to handle pulling the full -stable branch when they need to patch”.
On the other hand, as this post from Linux consultant Eddie Chapman notes: “if I may offer one criticism of the kernel stable trees in general, it is that it is very hard to find and identify fixes for known security vulnerabilities.”
In other words, even if Levin can't get 100 per cent coverage of security fixes, by offering users a single source for security patches only, security overall is improved the more people run those patches.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
