On Thu, 16 Apr 2020 19:31:25 +0000 Saeed Mahameed wrote:
IMHO it doesn't make any sense to take into stable automatically any patch that doesn't have fixes line. Do you have 1/2/3/4/5 concrete examples from your (referring to your Microsoft employee hat comment below) or other's people production environment where patches proved to be necessary but they lacked the fixes tag - would love to see them.
Oh wow, where do you want me to start. I have zillions of these.
But wait, don't trust me, trust a 3rd party. Here's what Google's security team said about the last 9 months of 2019:
- 209 known vulnerabilities patched in LTS kernels, most
without CVEs
- 950+ criticial non-security bugs fixes for device XXXX alone with LTS releases
So opt-in for these critical or _always_ in use basic kernel sections. but make the default opt-out..
But the less attentive/weaker the maintainers the more benefit from autosel they get. The default has to be correct for the group which is more likely to take no action.