On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote: > > > IMHO it doesn't make any sense to take into stable automatically > > > any patch that doesn't have fixes line. Do you have 1/2/3/4/5 > > > concrete > > > examples from your (referring to your Microsoft employee hat > > > comment > > > below) or other's people production environment where patches > > > proved to > > > be necessary but they lacked the fixes tag - would love to see > > > them. > > > > Oh wow, where do you want me to start. I have zillions of these. > > > > But wait, don't trust me, trust a 3rd party. Here's what Google's > > security team said about the last 9 months of 2019: > > - 209 known vulnerabilities patched in LTS kernels, most > > without > > CVEs > > - 950+ criticial non-security bugs fixes for device XXXX alone > > with LTS releases > > So opt-in for these critical or _always_ in use basic kernel sections. > but make the default opt-out.. But the less attentive/weaker the maintainers the more benefit from autosel they get. The default has to be correct for the group which is more likely to take no action.
