1 |
On Wed, 24 Jul 2013 19:54:10 +0200 |
2 |
Peter Stuge <peter@×××××.se> wrote: |
3 |
|
4 |
> Rich Freeman wrote: |
5 |
> > > As has been stated, this implies that Gentoo QA has tested the |
6 |
> > > packages and found them to be reasonably safe for use. |
7 |
> > |
8 |
> > ++ |
9 |
> |
10 |
> While good in theory, it seems that newer v-s are actually more |
11 |
> "reasonably safe" than any g-s. |
12 |
|
13 |
Depends; a version like 3.10.0 could introduce 0-days that might not get |
14 |
fixed till 3.10.6, whereas a version like 3.9.11 received many fixes |
15 |
and doesn't have these 0-days yet. Reasonably safe is subjective. |
16 |
|
17 |
But that's just "safe" as in security, there's also "safe" as in |
18 |
stable; versions like 3.10.0 - 3.10.2 come with a lot of rewrites, new |
19 |
features and what not, a collection of stuff that was just written and |
20 |
just passed the release candidate and stable queue. 3.10.0 breaks stuff. |
21 |
|
22 |
Fixes for the introduced bugs will take a few more releases; that |
23 |
3.10.3 that comes up? A whopping 100+ patches. Compare that to a version |
24 |
like 3.9.11 that has not seen anything new and received lots of fixes. |
25 |
|
26 |
This is why, for gentoo-sources, we pick kernels near the end of a |
27 |
branch; they can be seen as more secure and stable than the latest |
28 |
upstream stable kernel, especially since we backport important security |
29 |
fixes. Like for instance has been seen with 3.7 and similar. |
30 |
|
31 |
Now, you might wonder, why not stabilize 3.10.6 instead of waiting for |
32 |
something like 3.10.12 that could be EOL? Well, while that is certainly |
33 |
something we would like to do, and I have tried in the past; it didn't |
34 |
work out because the stabilization teams are a bit undermanned to keep |
35 |
up with stabilizing kernels this frequently. Don't forget there is |
36 |
hardened-sources, you can see that they also have one kernel per |
37 |
branch; their last stable kernel, awfully sits at 3.9.5. So... |
38 |
|
39 |
Arch teams need more resources; as in man power and machine power. |
40 |
|
41 |
-- |
42 |
With kind regards, |
43 |
|
44 |
Tom Wijsman (TomWij) |
45 |
Gentoo Developer |
46 |
|
47 |
E-mail address : TomWij@g.o |
48 |
GPG Public Key : 6D34E57D |
49 |
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |