On Thu, Apr 16, 2020 at 09:11:38PM +0000, Saeed Mahameed wrote:
On Thu, 2020-04-16 at 13:08 -0700, Jakub Kicinski wrote:
On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote:
IMHO it doesn't make any sense to take into stable automatically any patch that doesn't have fixes line. Do you have 1/2/3/4/5 concrete examples from your (referring to your Microsoft employee hat comment below) or other's people production environment where patches proved to be necessary but they lacked the fixes tag - would love to see them.
Oh wow, where do you want me to start. I have zillions of these.
But wait, don't trust me, trust a 3rd party. Here's what Google's security team said about the last 9 months of 2019:
- 209 known vulnerabilities patched in LTS kernels, most
without CVEs
- 950+ criticial non-security bugs fixes for device XXXX alone with LTS releases
So opt-in for these critical or _always_ in use basic kernel sections. but make the default opt-out..
But the less attentive/weaker the maintainers the more benefit from autosel they get. The default has to be correct for the group which is more likely to take no action.
or the more exposed they are to false positives :), unnoticed bugs due to wrong patches getting backported.. this could go for years for less attentive weaker modules, until someone steps on it.
Bugs due to only a limited set of patches being backported are generally very rare compared to the known bugs being present that are not fixed by not backporting patches.
Play the odds, they are not in your favor at the moment :)
thanks,
greg k-h