Re: Which version of 2.6.11 is most stable

From: Adrian Bunk
Date: Fri Nov 11 2005 - 23:34:17 EST

Next message: Adrian Bunk: "[2.6 patch] removed useless SCSI_GENERIC_NCR5380_MMIO"
Previous message: Adrian Bunk: "[2.6 patch] mark virt_to_bus/bus_to_virt as __deprecated on i386"
In reply to: Rob Landley: "Re: Which version of 2.6.11 is most stable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 11, 2005 at 09:49:08PM -0600, Rob Landley wrote:
>
> One question I've wondered about for a bit...
>
> The diff between each dot release (ala 2.6.12.0->2.6.12.1) can theoretically
> be backported to an older kernel. So in theory, at least some of the new
> security fixes can be applied to older kernels. (Yeah, this necessarily
> complete. Whether or not the patch makes any sense at all in the older
> context, and whether or not that's everything they need to do... That's a
> seperate issue. It allows some minimal, relatively straightforward
> maintenance to be done on systems that are stuck with older kernels by
> management fiat.
>
> The gap is the jump to the next major release. Suppose that 2.6.15 makes it
> up to 2.6.15.10, and then 2.6.16 comes out. Are there any security fixes in
> 2.6.16 that weren't in 2.6.15.10? Fixes which would have been in a 2.6.15.11
> if the next big release had been delayed another two weeks?
>
> From a practical standpoint, somebody stuck on 2.6.15 for another six months
> is likely to at least try to apply the next security update (the diff between
> 2.6.16->2.6.16.1) to their old kernel, but are they missing a week or two's
> worth of security fixes?

They miss a completely undefined amount of fixes.
Consider e.g. the case that 2.6.16 contains fixes that are later
identified as possible security issues.

The 2.6.16->2.6.16.1 patch fixes bugs in 2.6.16 - trying to apply it to
a 2.6.15 kernel might both leave security holes and add new breakages.

> I'm trying to clarify what my question is: When a new stable kernel comes
> out, do the dot-release guys do one more release of security-only fixes to
> patch all the known vulnerabilities that the new one addressed before moving
> on? Or do they just leave a gap and say "upgrade"?

There is no last dot-release - and it wouldn't help.

If you are running ftp.kernel.org kernels you have to upgrade to the
latest one or you will definitely miss security fixes.

If this is a problem for you stay with distribution kernels -
distributions offer exactly the service of security fixes for their
kernels for a well-defined amount of time.

> Rob

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "[2.6 patch] removed useless SCSI_GENERIC_NCR5380_MMIO"
Previous message: Adrian Bunk: "[2.6 patch] mark virt_to_bus/bus_to_virt as __deprecated on i386"
In reply to: Rob Landley: "Re: Which version of 2.6.11 is most stable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]