| 1 |
On Mon, Jul 31, 2017 at 6:13 PM, Mike Pagano <mpagano@g.o> wrote: |
| 2 |
> |
| 3 |
> When the motivation for a STABLEREQ is a high severity security bug |
| 4 |
> (e.g. root exploit), this delay in stabilization results in us having to |
| 5 |
> keep exploitable kernels in the tree in order not to drop the latest |
| 6 |
> stable for a specific architecture. |
| 7 |
> |
| 8 |
> The procedure outlined below allows for auto-stabilization of minor |
| 9 |
> bumps by the Gentoo kernel team for any previously stabled major version |
| 10 |
> kernel.[1] |
| 11 |
> |
| 12 |
|
| 13 |
I'd suggest taking it further and allowing auto-stabilization of all |
| 14 |
point releases whether they're security releases or not. The kernel |
| 15 |
team doesn't do a great job of identifying security issues in the |
| 16 |
first place, and I think the risk is pretty low here. The kernel has |
| 17 |
far more upstream QA than we provide and has almost zero in the way of |
| 18 |
dependencies (toolchain bugs really are the only thing that comes to |
| 19 |
mind). |
| 20 |
|
| 21 |
-- |
| 22 |
Rich |
Archives