Did a quick *rough* check:

* 65 #Linux #kernel CVE announcements from Greg so far

* 55 of those refer to a mainline commit

* 10 of those were marked for backporting to stable/longterm

And that's why Greg backports a lot of #LinuxKernel mainline commits to stable/longterm that are *not* tagged for backporting -- and why "only backport changes mainline developers[1] tagged for backporting" is a bad idea.

[1] reminder, such tagging is optional, as participation in stable/longterm is optional

2/ And yes, maybe some of those 45 commits that were not tagged for stable/longterm backporting might not be actual security issues/not worth a CVE. But some of those most likely are. I trust the Linux kernel CVE team's judgement here. And better safe than sorry, too.

@kernellogger Your data is going to be a bit skewed here, we have ONLY processed the v6.7..v6.7.1 and most of the v6.7.1..v6.7.2 commits so far for CVE-related stuff, which by far the majority have only Fixes: tags due to my travel schedule during those releases (i.e. I didn’t have the cycles to catch up with the cc: stable@ tagged commits. I bet the numbers will level out over time as we catch up with the rest of the commits in the v6.7.Y releases.

And it’s good to see people paying attention, thank you!

@gregkh

Thx for the additional insights, much appreciated. And thx for all your work, too!

Yes, I had expected the data to be somewhat skewed at this point as things are still new. Will almost certainly do another "quick and rough" check once 6.7.y became EOL!