On Thu, 2020-04-16 at 13:08 -0700, Jakub Kicinski wrote: > On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote: > > > > IMHO it doesn't make any sense to take into stable > > > > automatically > > > > any patch that doesn't have fixes line. Do you have 1/2/3/4/5 > > > > concrete > > > > examples from your (referring to your Microsoft employee hat > > > > comment > > > > below) or other's people production environment where patches > > > > proved to > > > > be necessary but they lacked the fixes tag - would love to see > > > > them. > > > > > > Oh wow, where do you want me to start. I have zillions of these. > > > > > > But wait, don't trust me, trust a 3rd party. Here's what > > > Google's > > > security team said about the last 9 months of 2019: > > > - 209 known vulnerabilities patched in LTS kernels, most > > > without > > > CVEs > > > - 950+ criticial non-security bugs fixes for device XXXX alone > > > with LTS releases > > > > So opt-in for these critical or _always_ in use basic kernel > > sections. > > but make the default opt-out.. > > But the less attentive/weaker the maintainers the more benefit from > autosel they get. The default has to be correct for the group which > is more likely to take no action. or the more exposed they are to false positives :), unnoticed bugs due to wrong patches getting backported.. this could go for years for less attentive weaker modules, until someone steps on it.
