Conversation
For your Sunday reading: https://arxiv.org/pdf/2402.05212.pdf "An Investigation of Patch Porting Practices of the
Linux Kernel Ecosystem" in which different distros, and Android, are evaluated as to how up to date they stay with upstream fixes. Note that RHEL or CentOS is not evaluated "because of the lack of public git repositories or insufficient data."

About time someone started writing papers about this stuff...
3
15
31

@gregkh lol at the note.
Out of all of the consequences that could have been true, 'getting left out of academic research' was not on my bingo card.

0
0
1

@gregkh This is interesting:

"In addition, we find that CVE is also a focus for distributions (as they are responsible for the security of their customers). In particular, [distro] maintainers usually attach a CVE ID to indicate that the patch fixes a known security vulnerability. Interestingly, we note that the picked CVE patches appear in distributions 74.2 days earlier than LTS on average; even if the picked CVE patches are later than LTS, it is only 16.7 days later on average."

0
1
1

@Conan_Kudo @gregkh I emailed the first author, Xingyu (xli399@ucr.edu), and they said “Centos stream was just transferred from Centos at that time.” I’ve never published a paper at a conference before, so I’d take their word for it and assumed the paper was put together a whole ago, i.e., back when all we had was Stream 8’s incomplete git history.

0
0
0