On Sun, Jul 14, 2013 at 01:30:49AM +0200, Jiri Kosina wrote:
> On Mon, 8 Jul 2013, Greg KH wrote:
>
> > > (1) I am a responsible maintainer of kernels for all SUSE enterprise
> > > products. As such, I am dealing with -stable trees on a regular
> > > basis.
> > >
> > > I am aware of the fact that -stable team is deferring a big part of the
> > > responsibility to the patch authors / maintainers (and thus they are
> > > mostly the ones to blame), and also of the fact that properly
> > > defining -stable acceptance rules is a very hard task.
> > >
> > > Still, my gut feeling is that some patches present in the -stable
> > > release are obviously not a -stable material.
> > >
> > > As a basis fo further discussion I can provide a few examples of
> > > patches hat went into -stable, although they (?apparently?) should have
> > > not, and they caused us headache.
> >
> > I'd be interested in hearing about this now, as I never want to include
> > patches that break things or cause problems for distros, or anyone else
> > using the stable branches. Care to take this to stable@xxxxxxxxxxxxxxx
> > so that all of the people involved in the stable stuff can talk about
> > it?
>
> Ok, so as this topic seems to have gotten quite some traction even in
> other threads ("[Ksummit-2013-discuss] When to push bug fixes to mainline"
> etc), let me pick a rather random example for a case study (and yes, I
> personally had to suffer with that one quite a lot :) ).
>
> 3.0.41 has been released Aug 15 2012. It included a huge random.c update
> (upstream commits d2e7c96a, cbc96b75, c5857ccf, 00ce1db1a, c2557a303,
> e6d4947b12, a2080a67a, 902c098a, 775f4b29, 2dac8e54f, 3e88bdff,
> 3e88bdff1c, cf833d0b, 63d7717).
>
> Many of these went into Linus' tree for 3.6, which was released Sep 30
> 2012. 3.0.41 was released Aug 15 2012 (which is before final release of
> 3.6) (I hope I got the dates right, I have never been really strong in
> history classess).
>
> 902c098a was buggy, wasn't marked for stable in the changelog, hasn't been
> present in single Linus' major release, and still has been merged into
> -stable already. Makes one wonder where did all the rush come from.
>
> Actually the whole series of commits seems (to a rather unbiased observer,
> such as myself) to be rather an improvement and forward-pushing
> development of a random subsystem. How does/did that qualify for stable?
They came from a reported security problem against the kernel, and came
at the request of security@xxxxxxxxxx. You should have found out the
details from it from the "vendor-sec" list (it's called something
different now, I can't remember the name, sorry), I know someone from
SuSE is on that list.
I think the problem was eventually given a CVE number, so you could
track it down that way, but I don't have access to my email archives at
the moment to verify this or not, sorry.
The kernel security team should now be reporting all of these issues to
the vendor-sec mailing list, I know we weren't in the past, which was a
complaint that we resolved a few months ago because of issues just like
this one you have pointed out.
Hope that explains this specific instance, any others you know of that
you are curious about?
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html