Announcement

Collapse
No announcement yet.

Linux-Stable-Security Kernel Tree Announced

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux-Stable-Security Kernel Tree Announced

    Phoronix: Linux-Stable-Security Kernel Tree Announced

    Sasha Levin of Oracle has announced the formation of the Linux-Stable Security Tree...

    http://www.phoronix.com/scan.php?pag...table-Security

  • #2
    Whats the difference between this and a longterm tree other than the false assurance of stability?

    Comment


    • #3
      Better question yet, how do you differentiate between security fixes and "normal fixes".
      I remember there was an "off by one" [bit] bug that people considered unexploitable right until somebody came up with really clever exploit that played around with page allocation untill it abused that arbitrary bitflip to cause permission change on page value.
      Also, security fixes are never marked as security bugs in commit logs as a policy (at least hackers have to look at bugs to figure out exploits instead of grepping git log).

      Comment


      • #4
        Oracle claiming credit for providing a Linux kernel that not only is stable, but also, wait for it, secure. Fairly huge marketing win for cherry-picking only security related commits added to the longterm tree.

        Comment


        • #5
          In other words, now that debian follows LTS, Oracle needs to differentiate their product from the common variety stable linux. So, they're going to make their own LTS kernel tree.
          Last edited by c117152; 11 April 2016, 07:58 PM. Reason: proofing

          Comment


          • #6
            Originally posted by LoveRPi View Post
            Whats the difference between this and a longterm tree other than the false assurance of stability?
            Exactly! Linux already has a longterm tree!

            Comment


            • #7
              Oracle? Security? Are they serious about it? I've seen how Oracle "handles" Java security issues, etc.

              Comment


              • #8
                While I do get the point from Oracle side, I don't see the benefit for the community. If the security fix is on top of a "random" fix, then need to either use the random fix or adapt the security fix. In each case, they are violating the constraints stated as the goal ....

                And validation needs to be done on the security fix anyway...

                Comment


                • #9
                  Maybe Oracle wants to use it for their Exadata that is a monstrous machine and updating it requires massive re-testing effort.

                  Comment


                  • #10
                    but focus on just carrying fixes for security vulnerabilities. Other changes normally found in stable Linux point releases wouldn't be integrated.
                    So this will be like normal point release except buggier? Because point releases do not get features, just bugfixes. So whats the point to discard bugfixes if they are not security-related? Sounds like nonsense what they are doing..

                    Comment

                    Working...
                    X