Kernel patchsets - Currency

Just before New Years' Day this year, I word-vomited about what goes into a kernel patchset, as well as design decisions behind my personal patchset, kernel-mc.

It's nearly the end of the year, and a lot has happened since. To say the least. Recently, I made an -mc2 kernel in the 6.6 series, something I'd been intending to do for at least six months, but that got away from me.

So I'd like to, for a moment, just go over why you should care.

Linux distributions such as Red Hat and Debian put a hell of a lot of effort into keeping their kernels up to date, while not diverging from the version number that their distribution initially shipped with. In many cases, this means a mishmash of backported fixes from newer kernel series, which is why you can see some truly bizarre versions on linux kernels.

The reason for this is not solely that "big number better", though it certainly does play a part - back in the bad old days, Linux distributions on physical CDs would frequently tell you what version of the kernel, GCC, and XFree86 (now X.Org) they shipped with, as well as if they included things like Netscape.

While a larger version number is impressive in its own right - up-to-date software has its own utility. In my previous posting on the kernel, I referred to hardening the kernel against speculative execution attacks in the 4.14 series. At the time, the patches to do this were just that - patches. The technique implemented, of Page Table Isolation, were merged into Linux 4.15, and the first longterm kernel that had them from the get-go was kernel 4.19.

The kernel series 4.4, 4.9, and 4.14 did eventually have these features backported - but if you had a distribution that, hypothetically, really badly depended on the kernel version being "4.9.69", then simply jumping forward to "4.9.75" (the version where the KPTI patches were backported upstream) would break things. So, you might have, instead, say, "4.9.69-secure+PTI_e2f5aa06", which might either be a re-versioned 4.9.75 (easy enough to do, just change the toplevel Makefile), or it might be some unholy abomination based on 4.9.69 with some cherry-picked fixes added on.

One of the kernel maintainers, Greg Kroah-Hartman (gregkh to his enemies), has a page opining on which version of the kernel you should use. He's one of the most qualified people to comment on the topic. He suggests that the path of least resistance is the kernel your distribution supports, followed by the latest stable. The reason for this assessment is that both of these cases will generally have the security fixes to ensure that you won't get pwned by whatever garden-variety script kiddie is bored that day. What Mr. Kroah-Hartman doesn't quite get so far as suggesting is that in the general, his proposal on what version to use actually tracks quite well with open source software in general.

On another page, discussing how the Linux kernel handles releases, Mr. Kroah-Hartman has the opportunity to quote possibly the one person more qualified to talk about linux versioning - Linus:

[...] I don't want to perpetuate the myth of "security fixes" as a
separate thing from "plain regular bug fixes".

They're all fixes. They're all important. As are new features, for that
matter.

[...]

It's pointless and wrong because it makes people think that other bugs
aren't potential security fixes.

This, gregkh summarises as "all fixes are security fixes". The reason to not take this attitude is that in large pieces of complex software, there can be regressions, where something that previously worked no longer does. An example would be that in macOS Sequoia, it has been reported that the integral disc burning functionality no longer works. This was probably not tested for, as, to my knowledge, no Mac that natively (i.e. without hacking) supports Sequoia has an internal optical drive. In fact, I'm pretty sure that no Mac that natively supports macOS Ventura, two versions older, has an internal optical drive.

To blatantly echo gregkh, it's important to keep a kernel up-to-date, as basically every bugfix can have security implications. To extend his argument, keeping your software up-to-date generally, as long as you don't introduce regressions (specifically, breaking things that previously worked), is a generally sound policy.

So - go on, update your computer system. You've probably not done it for a while. And if you're using kernel-mc, 6.6-mc2 can be had from here. I'll update the actual webpage for it soon, I swear.