[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

[Jiri Kosina]

On Sun, 9 Sep 2018, Greg KH wrote:

> Yes, this is something that is happening today.
> 
> If you look, L1TF is not fully backported to 4.4.y, for anyone running
> 4.4.y as a host operating system.  The backport was just too horrible
> and no one wanted to do it and test it as all of the major hosting
> services have moved on to 4.9.y or better.

Unrelated sidenote: we have the whole thing backported to SUSE 4.4 kernel, 
so it can be cherry-picked from there if needed.

> There are other examples of this, spectre fixes for arm32 are not in any
> stable tree older than 4.18.y.  Same for other arches and kernel
> versions.
> 
> I tried to write up "what kernel version to use" on my blog a few weeks
> back to answer this type of question.  Basically, only "trust" the
> latest LTS stable kernel for security issues to be able to use it to run
> untrusted users.  When you start getting older kernels involved, nasty
> problems like what Meltdown and the like are having to implement, it
> just does not work.

OK, so as long as this message is completely clear to the stable tree 
consumers (see my other mail about potential legal implications for the 
downstream consumers in case they are not aware of this), then all is 
fine.

Thanks,

-- 
Jiri Kosina
SUSE Labs