LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-14-2020, 04:10 AM   #1
baggister
LQ Newbie
 
Registered: Jul 2017
Posts: 20

Rep: Reputation: Disabled
What is upstream /downstream with ref to kernel


Read here ...
https://www.zdnet.com/article/google...roid-security/

{{
Even when these downstream customizations are meant to add security to a device, they also introduce security bugs
}}

And at the end ...

{{
... device-specific kernel modifications would be better off either being upstreamed or ...}}}

Can anyone please explain what the above mean?
 
Old 02-14-2020, 05:00 AM   #2
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,436

Rep: Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781
Quote:
Originally Posted by baggister View Post
Read here ...
https://www.zdnet.com/article/google...roid-security/

{{
Even when these downstream customizations are meant to add security to a device, they also introduce security bugs
}}

And at the end ...

{{
... device-specific kernel modifications would be better off either being upstreamed or ...}}}

Can anyone please explain what the above mean?
Judging by a quick skim of the article linked, the first quote means: Samsung is modifying Linux kernel code to try and prevent attacks on their phones, but this could cause security problems for Android itself and/or other non-Samsung phones.

The second quote would mean that; any modifications to kernel code should be done by Google, since Google develops and maintains Android itself.

In regards to desktop and server based Linux distributions; "upstream" means the Linux Foundation, as their the ones that develop and maintain the Linux kernel itself. "Downstream" means the various Linux distribution's developers that develop and maintain the individual Linux distribution's, like Ubuntu, openSUSE, Fedora, etc, etc, etc.
 
Old 02-14-2020, 05:16 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,019

Rep: Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275
Quote:
Originally Posted by jsbjsb001 View Post
In regards to desktop and server based Linux distributions; "upstream" means the Linux Foundation, as their the ones that develop and maintain the Linux kernel itself. "Downstream" means the various Linux distribution's developers that develop and maintain the individual Linux distribution's, like Ubuntu, openSUSE, Fedora, etc, etc, etc.
Not necessarily true.

Upstream usually refers to the source that is being modified, for example for CentOS the upstream source is RedHat.

Downstream would refer to people who are modifying the source code, so RedHat would consider CentOS (and those that base their distro off of RedHat source) as "downstream".
 
Old 02-14-2020, 05:34 AM   #4
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,436

Rep: Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781
Quote:
Originally Posted by TenTenths View Post
Not necessarily true.

Upstream usually refers to the source that is being modified, for example for CentOS the upstream source is RedHat.

Downstream would refer to people who are modifying the source code, so RedHat would consider CentOS (and those that base their distro off of RedHat source) as "downstream".
The thread title is: "What is upstream /downstream with ref to kernel".

So does Redhat write their own kernel? No, they get it from the Linux Foundation, don't they?

I also pretty much made your above point in the second paragraph of my post #2, didn't I (you know, the point about Google making the modifications to Android's kernel - doesn't the same apply to CentOS/RedHat or Ubuntu/Linux Mint, no?)?

Honestly, the amount of nit picking at this place... no wonder I don't have much interest in this place these days...
 
Old 02-14-2020, 05:42 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,019

Rep: Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275Reputation: 1275
Quote:
Originally Posted by jsbjsb001 View Post
So does Redhat write their own kernel? No, they get it from the Linux Foundation, don't they?
And CentOS get their kernel from RedHat, so for CentOS, RedHat is the "upstream", and for anyone that makes their own distro based off of CentOS then CentOS is the "upstream", while ultimately for the kernel the "upstream" is, indeed, the Linux Foundation the code may have been modified at any place on the way "down".

You might say Nit Picking personally I prefer the term Improving accuracy of replies to the OP

Get over it.
 
Old 02-14-2020, 06:19 AM   #6
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,436

Rep: Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781
Quote:
Originally Posted by TenTenths View Post
And CentOS get their kernel from RedHat, so for CentOS, RedHat is the "upstream", and for anyone that makes their own distro based off of CentOS then CentOS is the "upstream", while ultimately for the kernel the "upstream" is, indeed, the Linux Foundation the code may have been modified at any place on the way "down".
Again;

Quote:
Originally Posted by jsbjsb001 View Post
...
The second quote would mean that; any modifications to kernel code should be done by Google, since Google develops and maintains Android itself.
...
Does Google write their own kernel for Android? I believe they modify the Linux kernel for Android, yes? Does the above quote/statement not imply what you're saying? ...since Google don't actually write their own kernel for Android, and merely just take the existing Linux kernel and modify it for Android, yes?

Isn't CentOS basically RHEL without the RHEL branding, no?

I was merely pointing out that I was responding to the thread's title - which was about the kernel and not about derivative distributions - although I once again also covered that and you what to nit pick and imply otherwise.

Quote:
You might say Nit Picking personally I prefer the term Improving accuracy of replies to the OP

Get over it.
I'm sure you would say that, and at this point, I'm done with this thread.

Get over yourself.
 
Old 02-14-2020, 08:25 AM   #7
baggister
LQ Newbie
 
Registered: Jul 2017
Posts: 20

Original Poster
Rep: Reputation: Disabled
From you replies, I think I have deduced the following ...

Downstream means adding / maintaining of kernel code in Android branch/fork/whatever its called.
Upstream means adding/ maintaining of owner's code to Linux Foundation.

Eg Samsung writes a new package. Or they can change one of their own packages. They can do anything they want to these packages. It's theirs.
These packages are added to the Linux Foundation kernel project repository.

Linux Foundation "pulls" the project to (eg) Kernel 1.0 project. In this 1.0 Kernel Project, Linux Foundation can change / fix Samsung's packages ( or not add them at all, or remove them). ( Technically, they are fixing things downstream? )

Android pulls all of it's kernel source/ binaries from Kernel 1.0 project to Android-Kernel 1.0.
Any amendments done here to the existing kernel source/binaries are considered as downstream maintenance. Are new packages considered upstream?

Samsung modifies stuff in Android-Kernel 1.0. It may or may not be their own packages (And if it was their packages, it may or may not have be modified by Linux Foundation) This is kernel modification done downstream.

Samsung ADDS New packages to the kernel, not modifying existing packages - it's their own packages. This could be considered Upstream or downstream.
However, as it is an amendment to what is fundamentally Kernel Code, I'd probably call it Downstream.

Well that's my take on it anyway.
 
Old 02-14-2020, 09:19 AM   #8
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,436

Rep: Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781
Think of it like this:

Let's say I wrote a program, and you modify it's code; then I'm "upstream" and you're "downstream" - that's probably the easiest way to think about it.
 
Old 02-14-2020, 09:24 AM   #9
boughtonp
Member
 
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 228

Rep: Reputation: 119Reputation: 119
With regards to software, upstream and downstream are directions.

Upstream is towards the origin, downstream is away from the origin.

A package or change cannot be described as upstream/downstream on its own - the term only makes sense in relation to another item in a dependency chain.

 
Old 02-14-2020, 09:24 AM   #10
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 8,430
Blog Entries: 13

Rep: Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744Reputation: 3744
First, the article is written by "someone", there's a link to who they are. That's great, but I consider it to be subjective:
Quote:
Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia.
Secondly they are almost entirely quoting someone else where in the second paragraph of this article, they invoke the name of a GPZ person and link to their blog, where the remainder of the article is a combination of tidbits from various other sources and largely quotes this GPZ person and their blog posts. It is unclear if this other person has been interviewed or if their public blog posts are just being referenced.

My humble opinion is that terms, are terms only, and they can mean some variety of interpretations.

But if you, baggister, wish some input interpreting what they are meaning as part of this article, here are some opinions, which you may consider or ignore.

And during the course of my composition and previews, I do see that you've provided an update/conclusion. If you're fine with that, I'm fine too:

The first quote you mentioned:
Quote:
Even when these downstream customizations are meant to add security to a device, they also introduce security bugs
Is preceded by the following:
Quote:
Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.

It was this type of mistake that Horn found in the Android kernel on the Samsung Galaxy A50. But as he notes, what Samsung did is pretty common among all smartphone vendors. That is, adding code to the Linux kernel code downstream that upstream kernel developers haven't reviewed.
And the later quote you raised:
Quote:
device-specific kernel modifications would be better off either being upstreamed or
Is missing the remainder of that sentence:
Quote:
device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers
My interpretations:
  1. The article is some bunch of claims by someone who is writing their article, largely using the content from another one.
  2. They seem to be saying that downstream is within a kernel driver and upstream is within a userspace driver.
  3. What I really feel that are discussing is the correct point, or location, for addressing security.
  4. Having dealt with security matters, things start at a basic level, and grow from there, and also never stops. Arguing as to whether it is best to be in lowest level drivers, the OS, or applications, I say that it should be in all of them, and that I'm not seeing any technical arguments compelling me to move towards one direction vs another. In fact, I submit that it really depends upon the situation identified as the security concern and what the proposed fixes are. In other words, I feel it varies.
  5. Anyways, without getting into too much of a stump speech, those are my opinions. Those and "Would you like me to move this discussion to the Linux - Security forum where it may garner more applicable viewings and replies?"
  6. Final one would also be: "Challenge others' points of view and opinions, but do so respectfully and thoughtfully ... without insult and personal attack. Differing opinions is one of the things that make this site great."
  7. EDIT: I feel it also is near exacty, "What boughtonp said"

Last edited by rtmistler; 02-14-2020 at 09:25 AM.
 
Old 02-14-2020, 09:28 AM   #11
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,436

Rep: Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781Reputation: 1781
EDIT: Sorry boughtonp, I thought you were the OP - disregard this post.

Last edited by jsbjsb001; 02-14-2020 at 09:34 AM. Reason: thought I was talking to the OP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring downstream router Odyssey1942 Linux - Networking 9 05-18-2015 06:27 PM
[SOLVED] How to find IP of downstream AP and then how to reach it? Odyssey1942 Linux - Networking 37 03-02-2015 03:02 PM
Slack 12.1 as router with windows downstream trouble tobiusmaximus Linux - Networking 7 07-16-2008 01:23 AM
LXer: Don't Work Downstream from Redmond LXer Syndicated Linux News 0 03-28-2008 06:42 AM
Upstream/Downstream stats jeucken Linux - Networking 4 01-06-2003 03:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration