lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Apr 2020 10:25:55 +0200
From:   "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To:     Saeed Mahameed <saeedm@...lanox.com>
Cc:     "kuba@...nel.org" <kuba@...nel.org>,
        "sashal@...nel.org" <sashal@...nel.org>,
        "ecree@...arflare.com" <ecree@...arflare.com>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "gerlitz.or@...il.com" <gerlitz.or@...il.com>
Subject: Re: [PATCH AUTOSEL 4.9 09/26] net/mlx5e: Init ethtool steering for
 representors

On Thu, Apr 16, 2020 at 09:11:38PM +0000, Saeed Mahameed wrote:
> On Thu, 2020-04-16 at 13:08 -0700, Jakub Kicinski wrote:
> > On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote:
> > > > > IMHO it doesn't make any sense to take into stable
> > > > > automatically
> > > > > any patch that doesn't have fixes line. Do you have 1/2/3/4/5
> > > > > concrete
> > > > > examples from your (referring to your Microsoft employee hat
> > > > > comment
> > > > > below) or other's people production environment where patches
> > > > > proved to
> > > > > be necessary but they lacked the fixes tag - would love to see
> > > > > them.  
> > > > 
> > > > Oh wow, where do you want me to start.  I have zillions of these.
> > > > 
> > > > But wait, don't trust me, trust a 3rd party.  Here's what
> > > > Google's
> > > > security team said about the last 9 months of 2019:
> > > > 	- 209 known vulnerabilities patched in LTS kernels, most
> > > > without
> > > > 	  CVEs
> > > > 	- 950+ criticial non-security bugs fixes for device XXXX alone
> > > > 	  with LTS releases
> > > 
> > > So opt-in for these critical or _always_ in use basic kernel
> > > sections.
> > > but make the default opt-out.. 
> > 
> > But the less attentive/weaker the maintainers the more benefit from
> > autosel they get. The default has to be correct for the group which 
> > is more likely to take no action.
> 
> or the more exposed they are to false positives :), unnoticed bugs due
> to wrong patches getting backported.. this could go for years for less
> attentive weaker modules, until someone steps on it.

Bugs due to only a limited set of patches being backported are generally
very rare compared to the known bugs being present that are not fixed by
not backporting patches.

Play the odds, they are not in your favor at the moment :)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ