On 04/21/2016 08:36 AM, Greg KH wrote: > On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote: >> Hey Willy, >> >> On 04/21/2016 03:11 AM, Willy Tarreau wrote: >>> This illustrates exactly what I suspected would happen because that's the >>> same trouble we all face when picking backports for our respective trees >>> except that since the selection barrier is much higher here, lots of >>> important ones will be missing >> >> Right. I fully agree that there will be important security commits that'll >> get missed, whether because they were missed in the stable selection or >> the stable-security selection. >> >> I'd like to point out again that updating the entire stable tree is the >> preferable way to patch against security (and non-security) issues. > > s/preferable/only/ :) Really? Even though as I showed updating your stable tree religiously would still leave you vulnerable to "ancient" privesc exploits? If anything, the *only* way is updating the entire kernel tree. >> The >> stable-security tree is a best-effort solution to provide a stop-gap in >> between said stable tree updates. > > What are you "stop-gapping" then? The 7-10 days between stable > releases? In a perfect world where everyone has a team of kernel hackers on hand reviewing stable commits, verifying the resulting kernel doesn't regress their product, and fixes existing regressions for their product it might be 7-10 days. In the real world, this process takes much longer. Doing a full rebase of the kernel tree is a much more costly process than cherry picking a handful of security commits. Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html