Hi, Thank you very much for your detailed response. We sincerely apologize for the confusion; the data we presented was based on the results from June 2024, with the specific kernel version indicated at the time. There is indeed a discrepancy with the latest data. Our intention is not to highlight or downplay any particular distribution, but rather to illustrate, to some extent, the impact of kernel security hardening in real-world scenarios. The CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_RANDOM_KMALLOC_CACHES were merged upstream through commit IDs 6471384af2a6530696fc0203bafe4de41a23c9ef and 3c6152940584290668b35fa0800026f6a1ae05fe, respectively. These changes were introduced at least 11 months prior to June of this year. Interestingly, the Fedora 40 desktop kernel version (6.8.5-301.fc40.x86_64) has not enabled these security hardening, even though they are included in the latest Fedora version. Could you help clarify the reasoning behind the decision to enable these two security hardenings? Additionally, there seems to be a delay between the upstream introduction of these security hardenings and their actual deployment—what factors might be contributing to this delay? In addition, we also investigated historical versions of Fedora, with relevant data available at the following link: https://docs.google.com/spreadsheets/d/1Q2im5w6wwJmzF6TD1OrXMKA3erRpAN-BWVeXtp5i4TY/edit?usp=sharing >From the results, it appears that the security hardening deployment for the desktop and server editions are almost identical, except for unprivileged_userfaultfd. Can we conclude that Fedora does not take different application scenarios into account when enabling its security hardenings? On 2024/12/14 3:13, Jeremy Linton wrote: > Hi, > > I think its worthwhile to note that the spreadsheet is AFAIK out of date > because I checked for example: CONFIG_INIT_ON_ALLOC_DEFAULT_ON and > CONFIG_RANDOM_KMALLOC_CACHES running an updated F40 and both are enabled. > > > So, I'm guessing no one ran 'dnf update' before recording the results, > or they are 6+ months old and should probably be updated. That can be > done either with 'dnf update' or by installing/upgrading to F41. > > And speaking as a community member I think 1.1 is pretty easy to answer > "yes". > > > Along the same vein I think reading the discussions around frame > pointers over the past year can provide an idea about how the fedora > community tries to find balance when determining performance/features/ > security/etc tradeoffs. > -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue