From the ‘Upstream First!’ files
On January 17th, Linus Torvalds committed a patch to the mainline Linux kernel for a memory handling flaw. As it turns out the flaw was exploited quickly once Torvalds put out the patch with a proof of concept emerging rapidly.
So what’s the problem with this picture?
Linus patched the flaw. His focus is the mainline and anyone that uses his tree has no risk from this issue. That did however leave the big downstream distros including Red Hat and Ubuntu in a bit of bind as they don’t patch as fast as Linus does. That’s not to say they’re slow, but there is a delay.
Which leads to the question – should there have been some additional vendor/distro consultation on this before the Torvalds patch was made public?
I know that in the past there has been the vendorsec list; and i know that Red Hat knows the upstream so well that they could have (or should have) known. But still, this (small) example is a potential area of risk that kernel developers might want to consider from a policy perspective. Any patch that has immediate security implications likely should be co-ordinated with the big distros (when possible). And that’s the key isn’t it? Torvalds patches as fast as he can, is it the distros responsibility then to keep pace?