lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 14 Jul 2021 17:43:42 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     "Theodore Y. Ts'o" <tytso@....edu>
Cc:     Sasha Levin <sashal@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Michal Hocko <mhocko@...nel.org>,
        Hugh Dickins <hughd@...gle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Miaohe Lin <linmiaohe@...wei.com>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        stable@...r.kernel.org
Subject: Re: 5.13.2-rc and others have many not for stable

On Wed, Jul 14, 2021 at 11:35:29AM -0400, Theodore Y. Ts'o wrote:
> On Wed, Jul 14, 2021 at 09:52:53AM -0400, Sasha Levin wrote:
> > On Wed, Jul 14, 2021 at 11:18:14AM +0200, Greg Kroah-Hartman wrote:
> > > On Tue, Jul 13, 2021 at 06:28:13PM -0700, Andrew Morton wrote:
> > > > Alternatively I could just invent a new tag to replace the "Fixes:"
> > > > ("Fixes-no-backport?") to be used on patches which fix a known previous
> > > > commit but which we don't want backported.
> > > 
> > > No please, that's not needed, I'll just ignore these types of patches
> > > now, and will go drop these from the queues.
> > > 
> > > Sasha, can you also add these to your "do not apply" script as well?
> > 
> > Sure, but I don't see how this is viable in the long term. Look at
> > distros that don't follow LTS trees and cherry pick only important
> > fixes, and see how many of those don't have a stable@ tag.
> 
> I've been talking to an enterprise distro who chooses not to use the
> LTS releases, and it's mainly because they tried it, and there was too
> many regressions leading to their customers filing problem reports
> which get escalated to their engineers, leading to unhappy customers
> and extra work for their engineers.  (And they have numbers to back up
> this assertion; this isn't just a gut feel sort of thing.)

When did they last actually do this?  Before or after we started testing
stable releases better?

I have numbers to back up the other side, along with the security
research showing that to ignore these stable releases puts systems at
documented risk.

But enterprise distros really are a small market these days, a rounding
error compared to Android phones, so maybe we just ignore what they do
as it's a very tiny niche market these days?  :)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ