[CoolGuySteve]

I always wondered who does all this backporting and patching work for these ancient enterprise Linuxes. It seems like brutally monotonous work.

Maybe they're reading this comment right now, hi!

[handrous]

Is there a world in which the vast majority of dev work isn't brutally monotonous? Most work's writing unremarkable code for unremarkable products containing unremarkable features that have already been implemented 1,000 times before, and likely even more than once before for the person doing the work. A ton of dev time, at least for people who aren't the much-derided solo-language-experts (e.g. The C# + Windows programmer, the Java programmer, who only do those kinds of jobs and don't even dabble in much else) is just wrangling the unfamiliar-brokenness of a tool & library ecosystem (it would be familiar-brokenness 5 years in and take up little of your time, for most non-trendy platforms, but you're either using a trendy one that changes way too much, or will be on a different language + ecosystem entirely before you hit 5 years on this one).

Very little dev effort is working on anything cool, and very little of the code for cool projects isn't kinda boring and normal.

[delaynomore]

For a lot of developers, "brutally monotonous work" is just ... work.

[NAK21]

Maybe I'm missing what's ancient about Fedora or RHEL, care to share?

[CoolGuySteve]

RHEL 7 came out 6 years ago with Linux 3.10 and is still getting patched. Somebody has to manage and integrate all those security fixes in all those packages without breaking the old codebases.

[chasil]

...it's not just getting patched.

Kernelcare has given me 48 hotfixes on a 3.10 kernel that I booted last year.

    kcarectl --patch-info | awk '/^kpatch-name/{print ++n};{print}'
    ....
    48
    kpatch-name: 3.10.0/proc-restrict-pagemap-access-1062.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel: 
    kpatch-cve: 
    kpatch-cvss: 
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url: 

    uname: 3.10.0-1160.25.1.el7

[gnufx]

Is "kpatch" there actually the same thing as RHEL's kpatch? I thought Kernelcare used something proprietary.

[chasil]

The Kernelcare front end tool is kcarectl.

Ksplice (Oracle) was first, followed by kgraft (Suse), and kpatch (RedHat).

According to the article below, kpatch is x86/64 only, uses ftrace, provides runtime patches only until the next minor kernel release on a standard license, does not address all CVEs, and cannot be used with "SystemTop or kprobe."

"KernelCare has no such limitations."

https://blog.kernelcare.com/competitors/kpatch-overview-of-e...

[gnufx]

I asked because the listing said "kpatch" in the output of the command. I've never used Kernelcare, only suggested investigating it, despite it being proprietary.

Ksplice was done by MIT students, not Oracle. I used it long before Oracle bought it, initially with my own patches (and actually after that as a "legacy" customer). kpatch isn't just x86_64; it's in at least ppc64le RHEL 7, although not for the "alt kernel" on the POWER9 systems I use.

I don't know whether it's the case, but their comparison rather suggests Kernelcare is based on Ksplice.

[jaboutboul]

+1 for KernelCare.

[gnufx]

Actually, POWER9 RHEL7 has Linux 4.x, where x depends on the minor release -- unfortunately not the latest on the system I use. I think aarch64 is similar, but I'd have to look for rpm to check. They need similar attention, of course.

Anyway, RHEL kernels have various features backported to the vanilla version on which it was originally based, not just security patches, which probably makes the job harder. It is a major effort.