lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160421141209.GA9930@1wt.eu>
Date:	Thu, 21 Apr 2016 16:12:09 +0200
From:	Willy Tarreau <w@....eu>
To:	Sasha Levin <sasha.levin@...cle.com>
Cc:	Greg KH <greg@...ah.com>, Jiri Slaby <jslaby@...e.cz>,
	LKML <linux-kernel@...r.kernel.org>,
	stable <stable@...r.kernel.org>, lwn@....net
Subject: Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 10:01:29AM -0400, Sasha Levin wrote:
> > What are you "stop-gapping" then?  The 7-10 days between stable
> > releases?
> 
> In a perfect world where everyone has a team of kernel hackers on hand
> reviewing stable commits, verifying the resulting kernel doesn't regress
> their product, and fixes existing regressions for their product it might
> be 7-10 days.
> 
> In the real world, this process takes much longer.
> 
> Doing a full rebase of the kernel tree is a much more costly process than
> cherry picking a handful of security commits.

Usually what is being done is mostly to check the intersection areas
between local patches and the updated parts from the next kernel. I'm
not saying it doesn't take some time, I mean for most products, only
certain areas are being considered since you usually have lots of
"CONFIG_* is not set" in a product. It's totally different for a distro
however.

Regards,
Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ