[skered]

Until Red Hat starts to add backports or fixes for customers that don't get push back upstream. Then when X+1 gets to RHEL it's missing all the previous RHEL only updates (some not backport related).

[CoolGuySteve]

I always wondered who does all this backporting and patching work for these ancient enterprise Linuxes. It seems like brutally monotonous work.

Maybe they're reading this comment right now, hi!

[handrous]

Is there a world in which the vast majority of dev work isn't brutally monotonous? Most work's writing unremarkable code for unremarkable products containing unremarkable features that have already been implemented 1,000 times before, and likely even more than once before for the person doing the work. A ton of dev time, at least for people who aren't the much-derided solo-language-experts (e.g. The C# + Windows programmer, the Java programmer, who only do those kinds of jobs and don't even dabble in much else) is just wrangling the unfamiliar-brokenness of a tool & library ecosystem (it would be familiar-brokenness 5 years in and take up little of your time, for most non-trendy platforms, but you're either using a trendy one that changes way too much, or will be on a different language + ecosystem entirely before you hit 5 years on this one).

Very little dev effort is working on anything cool, and very little of the code for cool projects isn't kinda boring and normal.

[delaynomore]

For a lot of developers, "brutally monotonous work" is just ... work.

[NAK21]

Maybe I'm missing what's ancient about Fedora or RHEL, care to share?

[CoolGuySteve]

RHEL 7 came out 6 years ago with Linux 3.10 and is still getting patched. Somebody has to manage and integrate all those security fixes in all those packages without breaking the old codebases.

[chasil]

...it's not just getting patched.

Kernelcare has given me 48 hotfixes on a 3.10 kernel that I booted last year.

    kcarectl --patch-info | awk '/^kpatch-name/{print ++n};{print}'
    ....
    48
    kpatch-name: 3.10.0/proc-restrict-pagemap-access-1062.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel: 
    kpatch-cve: 
    kpatch-cvss: 
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url: 

    uname: 3.10.0-1160.25.1.el7

[gnufx]

Is "kpatch" there actually the same thing as RHEL's kpatch? I thought Kernelcare used something proprietary.

[chasil]

The Kernelcare front end tool is kcarectl.

Ksplice (Oracle) was first, followed by kgraft (Suse), and kpatch (RedHat).

According to the article below, kpatch is x86/64 only, uses ftrace, provides runtime patches only until the next minor kernel release on a standard license, does not address all CVEs, and cannot be used with "SystemTop or kprobe."

"KernelCare has no such limitations."

https://blog.kernelcare.com/competitors/kpatch-overview-of-e...

[jaboutboul]

+1 for KernelCare.

[gnufx]

Actually, POWER9 RHEL7 has Linux 4.x, where x depends on the minor release -- unfortunately not the latest on the system I use. I think aarch64 is similar, but I'd have to look for rpm to check. They need similar attention, of course.

Anyway, RHEL kernels have various features backported to the vanilla version on which it was originally based, not just security patches, which probably makes the job harder. It is a major effort.

[denimnerd42]

How often does this happen? do they not keep track of what they need to upstream? how do they merge that all back in when X+1 begins? yikes..

[richardwhiuk]

Presumably everything relevant in RHEL gets backported before the next RHEL cut, and everything is in a branch?