Re: My thoughts on the "new development model"

From: Theodore Ts'o
Date: Thu Oct 28 2004 - 12:32:24 EST

Next message: Geert Uytterhoeven: "Re: massive cross-builds without too much PITA"
Previous message: Manfred Spraul: "Re: Livelock with the shmctl04 test program from linux test project"
In reply to: John Richard Moser: "Re: My thoughts on the "new development model""
Next in thread: michael: "Re: My thoughts on the "new development model""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 28, 2004 at 12:14:42PM -0400, John Richard Moser wrote:
> I've already heard rumors (very few, and they've been squashed) of
> GrSecurity being abandoned. The authors of both PaX and Gr are both
> active, they're just spinning on 2.6.7.
>
> Do you see the scenario occuring here? Their project is obviously
> inferior in many peoples' minds because it's not the latest
> hot-off-the-LKML 2.6 kernel. Indeed, many security fixes in (soon to
> be) 2.6.10 aren't in 2.6.7, which could provide known ways to easily
> slip straight past PaX and Gr (I haven't done my research, but this is
> not a hollow scenario).

So the security people who are doing the security patches have two
choices.

(a) Keep up with the mainline kernel, and try to get their changes
merged into the mainline kernel.

(b) Backport the security patches into 2.6.7, or convince/pay someone
to do this work for them.

Well, I suppose the incessant whining on LKML might be considered an
ineffective way of trying to do (b), but fundamentally, it doesn't
address the this important question: Why should the mainline kernel
folks be asked to do extra work because the security people don't
want/care to get their code clean enough to be merged into mainline?

If they choose not to work towards merging their changes with
mainline, then they have to pay the price of an external patch, which
is constantly keeping up with a changing mainline, or creating their
own set of patch backports.

I'll note by the way that the distributions have chosen the latter for
their stable Enterprise kernels; so this is an honorable and viable
choice, although they do have paying customers to allow them to pay
the costs of doing the backporting, testing, and qualifying the
patches to their stable snapshot for Red Hat's RHEL and SuSE's SLES.
The difference seems to be that you don't want to pay for a supported
distribution's stable kernel, and you don't want to do the work
yourself. Instead you want to whine on LKML. Is that a fair summary
of the state of affairs?

- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Geert Uytterhoeven: "Re: massive cross-builds without too much PITA"
Previous message: Manfred Spraul: "Re: Livelock with the shmctl04 test program from linux test project"
In reply to: John Richard Moser: "Re: My thoughts on the "new development model""
Next in thread: michael: "Re: My thoughts on the "new development model""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]