longsleep
commented
8 years ago Looks much better now. Thanks for your efforts!
Closed janjwerner closed 8 years ago
longsleep
commented
8 years ago Looks much better now. Thanks for your efforts!
ThomasKaiser
commented
8 years ago BTW: We (at Armbian) also have to deal with outdated kernel sources (3.4 for sunxi and 3.10 for ODROIDs and Marvell). Wo chose a more time consuming approach and instead of only applying certain CVE fixes we create for every outdated kernel tree we maintain a clean patch set containing all patches to the most recent kernel version (for H3 for example we're going the extra mile from 3.4.39 up to 3.4.110.
A good source to collect all patches might be Hardkernel's 3.10.y branches odroidxu3-3.10.y or odroidc-3.10.y looking only for commits whose names start with »Merge tag 'v3.10.« to start cherry picking ;)
A few backported device drivers should also be there. A diligent but routine piece of work but maybe worth the efforts for someone paying attention to both security and normal fixes (we had a funny data loss with btrfs a few years ago -- ~30TB but fortunately this was the backup storage -- and the fix made it into 3.10.y just recently)
janjwerner
commented
8 years ago Hey TKaiser, It is a great idea. I picked up security patches since i have to track those anyways. I will look into the resources you listed and try to apply them. Cheers On Mar 4, 2016 07:55, "Thomas Kaiser" notifications@github.com wrote:
BTW: We (at Armbian) also have to deal with outdated kernel sources (3.4 for sunxi and 3.10 for ODROIDs and Marvell). Wo chose a more time consuming approach and instead of only applying certain CVE fixes we create for every outdated kernel tree we maintain a clean patch set containing all patches to the most recent kernel version (for H3 for example we're going the extra mile from 3.4.39 up to 3.4.110 https://github.com/igorpecovnik/lib/tree/master/patch/kernel/sun8i-default .
A good source to collect all patches might be Hardkernel's 3.10.y branches odroidxu3-3.10.y https://github.com/hardkernel/linux/commits/odroidxu3-3.10.y or odroidc-3.10.y https://github.com/hardkernel/linux/commits/odroidc-3.10.y looking only for commits whose names start with »Merge tag 'v3.10.« to start cherry picking ;)
A few backported device drivers should also be there. A diligent but routine piece of work but maybe worth the efforts for someone paying attention to both security and normal fixes (we had a funny data loss with btrfs a few years ago -- ~30TB but fortunately this was the backup storage -- and the fix made it into 3.10.y just recently)
— Reply to this email directly or view it on GitHub https://github.com/longsleep/linux-pine64/pull/7#issuecomment-192270307.
ThomasKaiser
commented
8 years ago Please be prepared that this can be a bit time consuming. I would start with trying to apply the patch set 3.10.65 --> 3.10.66 and see how much efforts are needed. And then decide to follow this or not. :)
janjwerner
commented
8 years ago Oh I know. This is one of the reasons I picked up exploitable vulns and patches them. It feels kind of silly because one should audit all the AW code to feel safer. Still that is yet another animal. Cheers On Mar 4, 2016 8:08 AM, "Thomas Kaiser" notifications@github.com wrote:
Please be prepared that this can be a bit time consuming. I would start with trying to apply the patch set 3.10.65 --> 3.10.66 and see how much efforts are needed. And then decide to follow this or not. :)
— Reply to this email directly or view it on GitHub https://github.com/longsleep/linux-pine64/pull/7#issuecomment-192276542.
longsleep
commented
8 years ago Well, the branches are called with "hacks" in the name because they are very unclean and essentially only an experiment. The Allwinner patch set should be stripped of all the things inherited from Android and then cleanly applied on top of 3.10.65 from linux-stable or from linaro wichever is more feasible. Then that is done, a clean merge from there to HEAD could be created.
Personally i do not care overly much - anyone with more production quality interests should wait for mainline if you ask me :)
ThomasKaiser
commented
8 years ago You got a point. Doing so would also be an requirement for people concerned about security since only then you have an oversight what has been added from Allwinner sources to linux-stable.
Regarding experiments vs. production quality: That's absolutely true and for the very same reason Armbian won't touch A64 unless mainline u-boot is ready. But you should still keep in mind that most likely this branch here will be used by 'image builders' out there to provide Raspbian rip-offs or something even more weird for the simple reasons that it works. And they will stay with 3.10 since their target audience demands 'Mali acceleration' (even if they talk about CedarX in reality and not GPU)
re-committing fixes for CVE-2015-8543 and CVE-2013-7466