Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756554AbcDLNs4 (ORCPT ); Tue, 12 Apr 2016 09:48:56 -0400 Received: from schatzi.steelbluetech.co.uk ([92.63.139.240]:60537 "EHLO schatzi.steelbluetech.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751589AbcDLNsy (ORCPT ); Tue, 12 Apr 2016 09:48:54 -0400 DKIM-Filter: OpenDKIM Filter v2.10.3 schatzi.steelbluetech.co.uk CE88DB353 Subject: Re: [ANNOUNCE] linux-stable security tree References: <20160411184148.GA23140@kroah.com> <570BF3DD.2060900@oracle.com> <20160411200904.GB24106@kroah.com> <570C0B39.1090408@oracle.com> <20160411211708.GB32758@1wt.eu> <570C29C0.9080206@oracle.com> <20160412062237.GA507@1wt.eu> <20160412063508.GA21417@kroah.com> <20160412081131.GB537@1wt.eu> <570CEA99.1020101@ehuk.net> <20160412125234.GD660@1wt.eu> To: Willy Tarreau Cc: Greg KH , Sasha Levin , LKML , stable , lwn@lwn.net From: Eddie Chapman Reply-To: Eddie Chapman Message-ID: <570CFCC3.3090302@ehuk.net> Date: Tue, 12 Apr 2016 14:48:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <20160412125234.GD660@1wt.eu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1739 Lines: 29 On 12/04/16 13:52, Willy Tarreau wrote: > On Tue, Apr 12, 2016 at 01:31:21PM +0100, Eddie Chapman wrote: >> None-the-less, I applaud and thank Sasha for this new effort, and I >> personally will find it very useful. Yes, the lines between bug fix and >> security fix are very blurred, and so this tree won't have every "security" >> fix. But I believe and trust it *will* at least contain fixes for bugs that >> have the most severe security impact. > > It will only contain them if they are already in the respective stable trees, > which means that when I miss a fix (common), it won't appear there either. > At first I thought "oh cool, a repository of known things that must absolutely > be fixed, that will help me do my backports" and in the end I fear it will be > blindly used by end users who don't understand what they're missing but who > still believe they limit the risk of upgrades. Just this morning I saw a > report of a user saying that haproxy crashes is 2.6.24 kernel which is > "otherwise perfectly stable and achieves multi-years uptime"... Imagine > what such users will do when backporting fixes into they multi-thousands-bugs > kernel! Yes, agreed. I'm sure it's not going to be an exhaustive, complete repository. But I think it is better than no repository. And I think you are right there is a risk some will use it blindly. However, it seems to me if they make this mistake then by definition they were probably already screwed with regards the issues we're discussing here, so things can't really effectively get any worse. So by blindly applying a small tree of what have already been regarded as important fixes their situation might then be upgraded from 100% screwed to maybe only 70% screwed.