lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 Oct 2018 14:11:48 -0400
From:   Sasha Levin <sashal@...nel.org>
To:     Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:     Michael Schmitz <schmitzmic@...il.com>,
        "3.8+" <stable@...r.kernel.org>,
        lkml <linux-kernel@...r.kernel.org>,
        Andreas Schwab <schwab@...ux-m68k.org>,
        alexander.levin@...rosoft.com
Subject: Re: [PATCH AUTOSEL 4.18 24/58] Input: atakbd - fix Atari CapsLock
 behaviour

On Wed, Oct 10, 2018 at 10:02:19AM -0700, Dmitry Torokhov wrote:
>On Wed, Oct 10, 2018 at 10:29:58AM -0400, Sasha Levin wrote:
>> On Mon, Oct 08, 2018 at 12:20:26PM -0700, Dmitry Torokhov wrote:
>> > Hi Michael,
>> >
>> > On Mon, Oct 8, 2018 at 12:09 PM Michael Schmitz <schmitzmic@...il.com> wrote:
>> > >
>> > > Dmitry,
>> > >
>> > > someone on debian-68k reported the bug, which (to me) indicates that the
>> > > code is not just used by me.
>> > >
>> > > Whether or not a functioning Capslock is essential to have? You be the
>> > > judge of that. If you are OK with applying the keymap patch, why not
>> > > this one?
>> >
>> > I have exactly the same concerns about the keymap patch. This all has
>> > not been working correctly for many many years (and it was not broken
>> > in a subtly way as far as I understand, but rather quite obvious).
>> > Thus I do not understand why this belongs to stable release. It is not
>> > a [recent] regression, nor secutiry bug, nor even enabling of new
>> > hardware, that is why I myself did not mark it as stable.
>> >
>> > I still maintain that we pick up for stable too many patches for no
>> > clear benefit. This is similar to the patch for Atmel controllers that
>> > was picked to stable and I asked why, as it is not clear how many
>> > users might be affected (or if the problem the patch was solving was
>> > purely theoretical, or only affecting hardware that is not in
>> > circulation yet).
>>
>> If you belive that a certain piece of code has no actual users, why do
>> you keep it in the upstream kernel to begin with?
>
>Because obviously there are users. Maybe 5 of them, maybe 10. They do
>not follow upstream very closely (otherwise these fixes would have
>appeared in mainline long time ago) but they still exist. And it is not
>hard to keep the driver in if there are not many changes.

It, similarily, not hard to backport these changes to stable tree
especially if they're in a self-contained driver such as this one.

>>
>> I don't think it makes sense to keep something upstream because it might
>> have users, but not backport fixes because there might not have any
>> users.
>>
>> You haven't seen evidence of anyone using/caring about it for a few
>> years? Great! Remove the code and if someone complains we can always
>> revert. This is how all those orphaned archs got removed a few releases
>> back. I'll even submit the patch if you'd like.
>>
>> It doesn't make sense to have "second class citizens" like how you
>> suggested.
>
>Sure does. Look, one of roles of a mantainer is basically a release
>manager. We need to decide what goes into new release, what goes into
>maintenance release, what stays until later milestone. Each release has
>different criteria. With maintenance release you want to minimize the
>disruption while alleviating most recent and critical/high visibility
>issues, IOW you want to get the most bang for your buck. And these
>particular fixes do not give you any bang, none at all.
>
>Same goes for patches that deal with error handling in probe() functions
>that your AUTOSEL scripts like to pick. Yes, they are fixing bugs. But
>show me actually users affected by them? You encounter these issues with
>probe when you do initial device bringup, but once device is stabilized
>probes are expected to succeed. There won't be duplicate sysfs
>attributes, memory will be allocated, and so on. Fixes to remove() might
>be worthwhile if it is a hot-pluggable bus, but otherwise - no. Yes, the
>box may OOPS if someone manually unbind device through sysfs, but the
>solution is no to patch stable kernels, but simply tell user "dont to
>that [yet]".
>
>When selecting a patch for stable ask yourself: "if I do not pick this
>for stable will a distribution be willing to patch this into their
>kernel on their own"? If the answer is "no" it should be pretty strong
>indicator whether a patch belongs to stable or not.

There is a big difference between distros and the stable trees. Distros
know who their users/customers are, OTOH we have no clue who the users
of stable trees are.

I think Greg's last estimate was that about 1/3 of the kernels in the
wild are custom based on a kernel.org stable kernel, which means that we
have no visibility as to what they do with the kernel. If you don't know
who your users are, how can you prioritize some subsystems over others?

I don't think we can do any of that because we don't know who uses the
kernel and what bugs they hit, or don't hit. This is one of the reasons
we ask everyone to pick everything, if they don't use whatever code we
changed they won't be affected at all.

As a trivial example: we run a few kernels with custom configs in
Microsoft. Can you tell which drivers we use and how many machines use
them? Us not showing up in git log doesn't mean we don't use something,
it just means that the stable process works for us.

--
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ