Sasha Levin kicks off ‘security tree’ side project. Linux developer Sasha Levin has kicked off a project in which he proposes gathering up kernel security fixes under a single tree.
The rationale behind the “Linux-stable security tree project”, he explains, is that sysadmins in large, complex deployments find following kernel upgrades is daunting.
“Quite a few users of the stable trees pointed out that on complex deployments, where validation is non-trivial, there is little incentive to follow the stable tree after the product has been deployed to production,” the announcement says.
Sysadmins are therefore caught between a rock and a hard place: try to keep up with every kernel fix so as to catch security fixes (difficult), or opt out of fixes because it’s all too hard (dangerous).
Levin reckons some projects “preferred to delay important kernel updates, and a few even stopped updating the tree altogether, exposing them to critical vulnerabilities”.
In response to a question from another developer, Levin says the Linux-stable security tree project will be to catch “anything exploitable by a local unprivileged user (or better),” whether or not it’s attracted the attention of Mitre and been issued a CVE.
Levin notes that he hopes to be able to maintain a security tree for all -stable branch versions that are still maintained – that is, he won’t only be following the very latest kernel revision.
The project has sparked a lively discussion over at the Linux Kernel Mailing List. The two main lines of criticism so far, El Reg would summarise as: “all bug fixes are potentially security fixes if they affect the stability of the system”, and “those responsible for patching systems should have processes good enough to handle pulling the full -stable branch when they need to patch”.
On the other hand, as this post from Linux consultant Eddie Chapman notes: “if I may offer one criticism of the kernel stable trees in general, it is that it is very hard to find and identify fixes for known security vulnerabilities.”
In other words, even if Levin can’t get 100 per cent coverage of security fixes, by offering users a single source for security patches only, security overall is improved the more people run those patches.