On Fri, Nov 11, 2005 at 09:49:08PM -0600, Rob Landley wrote:
>
> One question I've wondered about for a bit...
>
> The diff between each dot release (ala 2.6.12.0->2.6.12.1) can theoretically
> be backported to an older kernel. So in theory, at least some of the new
> security fixes can be applied to older kernels. (Yeah, this necessarily
> complete. Whether or not the patch makes any sense at all in the older
> context, and whether or not that's everything they need to do... That's a
> seperate issue. It allows some minimal, relatively straightforward
> maintenance to be done on systems that are stuck with older kernels by
> management fiat.
>
> The gap is the jump to the next major release. Suppose that 2.6.15 makes it
> up to 2.6.15.10, and then 2.6.16 comes out. Are there any security fixes in
> 2.6.16 that weren't in 2.6.15.10? Fixes which would have been in a 2.6.15.11
> if the next big release had been delayed another two weeks?
>
> From a practical standpoint, somebody stuck on 2.6.15 for another six months
> is likely to at least try to apply the next security update (the diff between
> 2.6.16->2.6.16.1) to their old kernel, but are they missing a week or two's
> worth of security fixes?
They miss a completely undefined amount of fixes.
Consider e.g. the case that 2.6.16 contains fixes that are later
identified as possible security issues.
The 2.6.16->2.6.16.1 patch fixes bugs in 2.6.16 - trying to apply it to
a 2.6.15 kernel might both leave security holes and add new breakages.
> I'm trying to clarify what my question is: When a new stable kernel comes
> out, do the dot-release guys do one more release of security-only fixes to
> patch all the known vulnerabilities that the new one addressed before moving
> on? Or do they just leave a gap and say "upgrade"?
There is no last dot-release - and it wouldn't help.
If you are running ftp.kernel.org kernels you have to upgrade to the
latest one or you will definitely miss security fixes.
If this is a problem for you stay with distribution kernels -
distributions offer exactly the service of security fixes for their
kernels for a well-defined amount of time.
> Rob
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
