1 |
On Mon, Jul 31, 2017 at 6:13 PM, Mike Pagano <mpagano@g.o> wrote: |
2 |
> |
3 |
> When the motivation for a STABLEREQ is a high severity security bug |
4 |
> (e.g. root exploit), this delay in stabilization results in us having to |
5 |
> keep exploitable kernels in the tree in order not to drop the latest |
6 |
> stable for a specific architecture. |
7 |
> |
8 |
> The procedure outlined below allows for auto-stabilization of minor |
9 |
> bumps by the Gentoo kernel team for any previously stabled major version |
10 |
> kernel.[1] |
11 |
> |
12 |
|
13 |
I'd suggest taking it further and allowing auto-stabilization of all |
14 |
point releases whether they're security releases or not. The kernel |
15 |
team doesn't do a great job of identifying security issues in the |
16 |
first place, and I think the risk is pretty low here. The kernel has |
17 |
far more upstream QA than we provide and has almost zero in the way of |
18 |
dependencies (toolchain bugs really are the only thing that comes to |
19 |
mind). |
20 |
|
21 |
-- |
22 |
Rich |