Hi,
is there an easy way to identify all security-related patches out of the
mass of patches floating around on linux.bkbits.net or the kernel bugzilla?
I'm running 2.6.8.1 and would like to keep it as stable as possible, thus,
only apply security patches. Currently I'm searching for "security" and
alike on bitkeeper, but there seems to be no consistent marking.
For instance, it would be nice if all security fixes contained a consistent
marker like "[SECURITY]" in the changeset comments (like the reiserfs xattr/acl
patch does), so that it would be easy to identify them. Or setting some kind
of flag to such patches (I've no idea what bitkeeper allows one to do...).
cu,
Frank
--
Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17 Phone: +49 89 2180-4049
80333 Muenchen, Germany Fax: +49 89 2180-99-4049
* Frank Steiner ([email protected]) wrote:
> is there an easy way to identify all security-related patches out of the
> mass of patches floating around on linux.bkbits.net or the kernel bugzilla?
No, there's not. It's not as simple as it seems. Your best bet is
monitoring vendor updates, as they have the same goal. Occasionaly
things get applied with a CVE candidate number (CAN-YYYY-NNNN), and
those are security relevant.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
On Thu, 02 Sep 2004 11:48:07 PDT, Chris Wright said:
> * Frank Steiner ([email protected]) wrote:
> > is there an easy way to identify all security-related patches out of the
> > mass of patches floating around on linux.bkbits.net or the kernel bugzilla?
>
> No, there's not. It's not as simple as it seems. Your best bet is
> monitoring vendor updates, as they have the same goal. Occasionaly
> things get applied with a CVE candidate number (CAN-YYYY-NNNN), and
> those are security relevant.
Another point to remember is that there are probably many times that we've
fixed something because it's a bug, and only later find out that it's a bug
with security implications...
* Frank Steiner:
> is there an easy way to identify all security-related patches out of the
> mass of patches floating around on linux.bkbits.net or the kernel bugzilla?
>
> I'm running 2.6.8.1 and would like to keep it as stable as possible, thus,
> only apply security patches. Currently I'm searching for "security" and
> alike on bitkeeper, but there seems to be no consistent marking.
No, there isn't. You won't see any official kernel.org advisories
that could serve as guide, either.
However, your concentration might be a bit short-sighted. Issues such
as stability (random crashes under load), data corruption (file
systems are corrupted on unmount) and performance (poor throughtput
with some USB devices) could be as important to your users as security
fixes. In this area, vendor kernels can serve as a guide, too.
Unfortunately, there is no distributed source code management system
used by all these forks, so relating all those changes appears to be
quite complicated.