In light of the recent kernel vulnerabilities, issues with our kernel stabilization policy have been brought to light.
The discussion and potential solution was initiated by Kerin Millar, one of our more technical users (who I would like to see become a dev). He opened a bug and the discussion that followed can be read on bug #338739.
To sum up, we want to be able to stabilize kernels faster, especially in the case when a vulnerability is discovered.
We are looking to get agreement from the arch teams for the policy to be as follows:
For a new version release: 2.6.X, the stabilization will follow the same steps as it does today. We open a bug, and all the arches stabilize as they see fit.
Once this happens, any subsequent point release (2.6.X.y) will be automatically stabilized for any arches that had the previous version stabled. This includes gentoo-sources, especially since sometimes security patches are not released for “older” kernels. (2.6.34, for example).
I appreciate arch team leads’ buy-in/alternative solutions/comments on the bug, some already have. The faster we can get a solid policy in place the faster we get security patched kernels to our users.
I appreciate everyone’s time and effort, I wanted to blog this so people don’t think the kernel team is doing nothing to address any identified shortcoming.
As always, feel free to contact me on any medium if you would like to discuss.