[stonogo]

It could also be motivated by the fact that it's not entirely wise to base an entire multibillion dollar business around whatever text a non-employee happens to push to a repo you don't control.

[gregkh]

Android doesn't seem to mind, they require the LTS updates to be taken for their devices (well, "require" is a strong word, they are pushing harder now than they were in the past, "required" will be happening in the future, hopefully...)

As the number of systems running RHEL is really just a rounding error compared to the number of Android systems out there, maybe it doesn't really matter :)

[bonzini]

Android and RHEL are completely different scenarios.

The target of Android, which is who Google has to deal with, is multiple manufacturers creating kernels for custom hardware (often without upstream drivers), with very short product life, relatively little experience with upstream contribution and few needs for new features for a given major release of Android.

RHEL is developed by a single company with a 10 years life cycle, only 3-4 kernel versions to juggle but almost non-overlapping lifecycle (as far as the initial development-heavy phase is concerned). Development occurs upstream first and quite a few engineers are upstream developers or maintainers, so that the number of non-upstream features is very small and almost going down over time, see for example stuff like the secure boot lockdown patches that Matthew Garrett started when he was at Red Hat. And even though the product is not the kernel, we need to backport more features than what goes into LTS, because userspace needs them (user namespaces, driver updates, networking or virtualization optimizations, enablement for new processors, etc.)

So it's only natural that there are completely trade-offs to make.

[azinman2]

I would guess that RHEL has more stringent requirements than your average me-too Android manufacturer.

[radiator]

But do the devices running Android generally operate with the same requirements as the servers running RHEL?

[nordsieck]

> But do the devices running Android generally operate with the same requirements as the servers running RHEL?

I guess it depends on the device and the business.

How many days of downtime on Amazon.com is the cost of bricking 1M phones? Or 100M?

[stonogo]

Yes, that's why all the servers in the datacenter are running Android, which has a stellar security record.

This sort of myopia is yet another excellent reason for Red Hat to take their kernel process in-house.

[phh]

LTS' security record is definitely not to be proven. The example we're currently commenting on this thread is only one occurence. It is highly re-occuring.

RHEL fixes only CVEs. Linus Torvalds consider there is no such thing as a security bug, that actually every bug is a security bug. So RHEL's kernel can't be secure.

[zozbot234]

Debian also uses LTS-series kernels for their stable release - with their own patches on top. They don't actively backport features like RHEL does however.

[baggy_trough]

Why doesn't that argument apply to the mainline kernel?