[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200417082555.GA140064@kroah.com>
Date: Fri, 17 Apr 2020 10:25:55 +0200
From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To: Saeed Mahameed <saeedm@...lanox.com>
Cc: "kuba@...nel.org" <kuba@...nel.org>,
"sashal@...nel.org" <sashal@...nel.org>,
"ecree@...arflare.com" <ecree@...arflare.com>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"gerlitz.or@...il.com" <gerlitz.or@...il.com>
Subject: Re: [PATCH AUTOSEL 4.9 09/26] net/mlx5e: Init ethtool steering for
representors
On Thu, Apr 16, 2020 at 09:11:38PM +0000, Saeed Mahameed wrote:
> On Thu, 2020-04-16 at 13:08 -0700, Jakub Kicinski wrote:
> > On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote:
> > > > > IMHO it doesn't make any sense to take into stable
> > > > > automatically
> > > > > any patch that doesn't have fixes line. Do you have 1/2/3/4/5
> > > > > concrete
> > > > > examples from your (referring to your Microsoft employee hat
> > > > > comment
> > > > > below) or other's people production environment where patches
> > > > > proved to
> > > > > be necessary but they lacked the fixes tag - would love to see
> > > > > them.
> > > >
> > > > Oh wow, where do you want me to start. I have zillions of these.
> > > >
> > > > But wait, don't trust me, trust a 3rd party. Here's what
> > > > Google's
> > > > security team said about the last 9 months of 2019:
> > > > - 209 known vulnerabilities patched in LTS kernels, most
> > > > without
> > > > CVEs
> > > > - 950+ criticial non-security bugs fixes for device XXXX alone
> > > > with LTS releases
> > >
> > > So opt-in for these critical or _always_ in use basic kernel
> > > sections.
> > > but make the default opt-out..
> >
> > But the less attentive/weaker the maintainers the more benefit from
> > autosel they get. The default has to be correct for the group which
> > is more likely to take no action.
>
> or the more exposed they are to false positives :), unnoticed bugs due
> to wrong patches getting backported.. this could go for years for less
> attentive weaker modules, until someone steps on it.
Bugs due to only a limited set of patches being backported are generally
very rare compared to the known bugs being present that are not fixed by
not backporting patches.
Play the odds, they are not in your favor at the moment :)
thanks,
greg k-h
Powered by blists - more mailing lists