On Wed, Feb 21, 2024 at 07:10:02PM +0100, Vlastimil Babka wrote:
On 2/21/24 18:57, Greg KH wrote:
On Wed, Feb 21, 2024 at 05:00:05PM +0100, Oleksandr Natalenko wrote:
On středa 21. února 2024 15:53:11 CET Greg KH wrote:
> Given the huge patch volume that the stable tree manages (30-40 changes
> accepted a day, 7 days a week), any one kernel subsystem that wishes to
> do something different only slows down everyone else.
Lower down the volume then? Raise the bar for what gets backported?
Stable kernel releases got unnecessarily big [1] (Jiří is in Cc).
Those 40 changes a day cannot get a proper review. Each stable release
tries to mimic -rc except -rc is in consistent state while "stable" is
just a bunch of changes picked here and there.
If you can point out any specific commits that we should not be taking,
please let us know.
Personally I think we are not taking enough, and are still missing real
fixes. Overall, this is only a very small % of what goes into Linus's
tree every day, so by that measure alone, we know we are missing things.
What % of what goes into Linus's tree do you think fits within the rules
stated in Documentation/process/stable-kernel-rules.rst ? I don't know but
"very small" would be my guess, so we should be fine as it is?
Or are the rules actually still being observed? I doubt e.g. many of the
AUTOSEL backports fit them? Should we rename the file to
stable-rules-nonsense.rst?
Hey, I have an exercise for you which came up last week during the whole
CVE thing!
Take a look at a random LTS kernel (I picked 5.10), in particular at the
CVEs assigned to the kernel (in my case I relied on
https://github.com/nluedtke/linux_kernel_cves/blob/master/data/5.10/5.10_security.txt).
See how many of those actually have a stable@ tag to let us know that we
need to pull that commit. (spoiler alert: in the 5.10 case it was ~33%)
Do you have a better way for us to fish for the remaining 67%?
Yeah, some have a Fixes tag, (it's not in stable-kernel-rules.rst!), and
in the 5.10 case it would have helped with about half of the commits,
but even then - what do we do with the remaining half?
The argument you're making is in favor of just ignoring it until they
get a CVE assigned (and even then, would we take them if it goes against
stable-kernel-rules.rst?), but then we end up leaving users exposed for *years*
as evidenced by some CVEs.
So if we go with the current workflow, folks complain that we take too
many patches. If we were to lean strictly to what
stable-kernel-rules.rst says, we'd apparently miss most of the
(security) issues affecting users.
--
Thanks,
Sasha
