All vendor kernels are plagued with security vulnerabilities, according to a CIQ whitepaper. Will the Linux community ever accept upstream stable kernels?
“Any bug has the potential of being a security issue at the kernel level.”
Although the programmers examined RHEL 8.8 specifically, this is a general problem. They would have found the same results if they had examined SUSE, Ubuntu, or Debian Linux. Rolling-release Linux distros such as Arch, Gentoo, and OpenSUSE Tumbleweed constantly release the latest updates, but they’re not used in businesses.
The proposed fix:
The team advocates for a shift toward using stable kernel branches from kernel.org for better security and bug management.
They’re also completely missing the point of distro kernel trees. Stable automatically selects patches from mainline (largely by keyword, and often without kernel developer feedback or involvement) and consequently has a massive amount of code churn and very little validation beyond shipping releases and waiting for regression reports. Distro trees are the buffer where actual testing happens before release. As a long term stable user it really isn’t suitable for end user or enterprise consumption unless you have your own in house validation process to test releases for regressions before deployment. Even running stable on client machines (desktops, laptops) leads to a bad time every few weeks when something sneaks in that breaks functionality.
Rolling-release Linux distros such as Arch, Gentoo, and OpenSUSE Tumbleweed constantly release the latest updates, but they’re not used in businesses.
So some businesses decided that monolithic releases were more important than being able to get the latest upstream vanilla kernel version, and somehow that’s the fault of “all Linux kernel vendors” (including rolling-release distros, since there was no attempt to qualify “all”) and not the businesses’ decisions about tradeoffs?
Random excerpts.
The proposed fix:
Woah, someone discovered fire.
They’re also completely missing the point of distro kernel trees. Stable automatically selects patches from mainline (largely by keyword, and often without kernel developer feedback or involvement) and consequently has a massive amount of code churn and very little validation beyond shipping releases and waiting for regression reports. Distro trees are the buffer where actual testing happens before release. As a long term stable user it really isn’t suitable for end user or enterprise consumption unless you have your own in house validation process to test releases for regressions before deployment. Even running stable on client machines (desktops, laptops) leads to a bad time every few weeks when something sneaks in that breaks functionality.
So some businesses decided that monolithic releases were more important than being able to get the latest upstream vanilla kernel version, and somehow that’s the fault of “all Linux kernel vendors” (including rolling-release distros, since there was no attempt to qualify “all”) and not the businesses’ decisions about tradeoffs?