Re: [Ksummit-2013-discuss] [ATTEND] stable trees and pushy maintainers; cgroups interface; hid; depth of maintainers tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 13 Jul 2013, Greg KH wrote:

> > Ok, so as this topic seems to have gotten quite some traction even in 
> > other threads ("[Ksummit-2013-discuss] When to push bug fixes to mainline" 
> > etc), let me pick a rather random example for a case study (and yes, I 
> > personally had to suffer with that one quite a lot :) ).
> > 
> > 3.0.41 has been released Aug 15 2012. It included a huge random.c update 
> > (upstream commits d2e7c96a, cbc96b75, c5857ccf, 00ce1db1a, c2557a303, 
> > e6d4947b12, a2080a67a, 902c098a, 775f4b29, 2dac8e54f, 3e88bdff, 
> > 3e88bdff1c, cf833d0b, 63d7717).
> > 
> > Many of these went into Linus' tree for 3.6, which was released Sep 30 
> > 2012. 3.0.41 was released Aug 15 2012 (which is before final release of 
> > 3.6) (I hope I got the dates right, I have never been really strong in 
> > history classess).
> > 
> > 902c098a was buggy, wasn't marked for stable in the changelog, hasn't been 
> > present in single Linus' major release, and still has been merged into 
> > -stable already. Makes one wonder where did all the rush come from.
> > 
> > Actually the whole series of commits seems (to a rather unbiased observer, 
> > such as myself) to be rather an improvement and forward-pushing 
> > development of a random subsystem. How does/did that qualify for stable?
> 
> They came from a reported security problem against the kernel, and came
> at the request of security@xxxxxxxxxx.  You should have found out the
> details from it from the "vendor-sec" list (it's called something
> different now, I can't remember the name, sorry), I know someone from
> SuSE is on that list.
> 
> I think the problem was eventually given a CVE number, so you could
> track it down that way, but I don't have access to my email archives at
> the moment to verify this or not, sorry.
> 
> The kernel security team should now be reporting all of these issues to
> the vendor-sec mailing list, I know we weren't in the past, which was a
> complaint that we resolved a few months ago because of issues just like
> this one you have pointed out.

Well, if there is something going really "fast track" into stable in 
random.c area, I definitely can imagine it's because of a security problem 
:)

But which patch of the huge bunch fixes the problem is not clear 
immediately.
Was the whole series really necessary?

The problem we have actually encountered was 902c098a ... it's not obvious 
how that patch would be fixing any security related issue (strictly 
speaking, it could actually create a new security problem).
It's not even closely tight to the rest of the patches in the series 
(supposedly some of those patches is fixing some particular CVE ...).

So I still fail to see a proper explanation why 902c098a itself is 
included in the stable tree.

Yes, I have a couple more examples very similar to this one, but I didn't 
want to initiate paralllel discussions about technical aspect of those 
very patches, as I think the common part is the same -- proper 
justification for -stable inclusion of each and every patch.

Thanks,

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]