Kernel security updates

[bartmichu]

Hello. Is there a policy regarding security fixes for the Linux kernel you are using i.e. does anyone keep track of security updates so that they are also released for your project in a timely manner? Or is it more like a random kernel version bump from time to time?

Thank you for your hard work!

[psgreco]

The rpi kernels are basically upstream (kernel.org) kernels with patches from the rpi foundation on top (https://github.com/raspberrypi/linux) so any CVE that is fixed in the corresponding kernel, it will be fixed in the rpi version

[bartmichu]

OK thanks @psgreco just one more clarification. Let's say a new upstream kernel is released today with some security fixes. When can I expect that to show up in my dnf updates? Is it only after you release a new image, as on 2021-10-05 and 2021-11-12?

[psgreco]

I try to update the kernels in a 2 to 4 week cadence ($dayjob permitting). If someone pings me with an urgent CVE, I could do it at any point. Kernel code is tracked here https://git.centos.org/rpms/raspberrypi2/commits/c7-sig-altarch-lts-5-10 , even though sometimes I forget to push. My unsigned builds of those kernels are uploaded here https://people.centos.org/pgreco/rpi_aarch64_el8_5.10/ so you can update any image with it

[bartmichu]

Sounds good. Once again, thank you for working on this project :)