|
| 1 | +## Linux versions |
| 2 | + |
| 3 | +Linux kernel releases include major releases (e.g. 6.0, 6.1, 6.2), long-term |
| 4 | +support (LTS) releases (e.g. 6.1, 6.6, 6.12) and stable releases (e.g. 6.12.0, |
| 5 | +6.12.1, ..., 6.12.66). |
| 6 | + |
| 7 | +Additionally, the Civil Infrastructure Platform (CIP) continues to maintain LTS |
| 8 | +releases once mainline support ends.[^2] This is done to meet industrial grade |
| 9 | +requirements. |
| 10 | + |
| 11 | +The latest releases are listed on [kernel.org](https://www.kernel.org/). [Linux |
| 12 | +kernel version |
| 13 | +history](https://en.wikipedia.org/wiki/Linux_kernel_version_history) on |
| 14 | +Wikipedia provides helpful diagrams for understanding the various Linux kernel |
| 15 | +releases. |
| 16 | + |
| 17 | +### ADI support |
| 18 | + |
| 19 | +ADI follows a similar approach to that taken by mainline. It attempts to |
| 20 | +maintain ADI changes on top of the latest LTS release and update those changes |
| 21 | +with every new LTS release. That process makes it easier to upstream those |
| 22 | +changes into the mainline kernel. |
| 23 | + |
| 24 | +ADI can also support older LTS releases by backporting changes, but that is not |
| 25 | +done automatically given the burden of supporting the many LTS versions. |
| 26 | + |
| 27 | +### CVE |
| 28 | + |
| 29 | +On February 13, 2024 kernel.org was added as a CVE Numbering Authority, giving |
| 30 | +the Linux development community more control over how CVEs are issued.[^1] Greg |
| 31 | +K-H provided context to that announcement in his blog post, [Linux is a |
| 32 | +CNA](http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/), and it was |
| 33 | +covered by LWN in [A turning point for CVE |
| 34 | +numbers](https://lwn.net/Articles/961978/). |
| 35 | + |
| 36 | +CVEs for the Linux kernel are announced on the [linux-cve-announce mailing |
| 37 | +list](https://lore.kernel.org/linux-cve-announce/). A more machine readable |
| 38 | +version is stored in the [security/vulns git |
| 39 | +repository](https://git.kernel.org/pub/scm/linux/security/vulns.git/), along |
| 40 | +with a set of scripts to parse the data. |
| 41 | + |
| 42 | +The establishment of the kernel CNA saw an increase in the number of CVEs |
| 43 | +being reported. |
| 44 | + |
| 45 | +CVE [Linux Kernel](https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33) on CVEdetails.com |
| 46 | + |
| 47 | +``` |
| 48 | +$ just summary |
| 49 | + Year Reserved Assigned Rejected A+R Returned Total |
| 50 | + 2019: 0 2 1 3 47 50 |
| 51 | + 2020: 0 17 0 17 33 50 |
| 52 | + 2021: 0 732 24 756 16 772 |
| 53 | + 2022: 0 2123 49 2172 17 2189 |
| 54 | + 2023: 0 1615 60 1675 0 1675 |
| 55 | + 2024: 0 3064 101 3165 6 3171 |
| 56 | + 2025: 19 2570 44 2614 0 2633 |
| 57 | + 2026: 498 2 0 2 0 500 |
| 58 | + Total: 517 10125 279 10404 119 11040 |
| 59 | +``` |
| 60 | + |
| 61 | +> Nobody who relies on backporting fixes to a non-mainline kernel will be able |
| 62 | +> to keep up with this CVE stream. Any company that is using CVE numbers to |
| 63 | +> select kernel patches is going to have to rethink its processes. |
| 64 | +
|
| 65 | +> ... distributors will simply fall back on shipping the stable kernel updates |
| 66 | +> which, almost by definition, will contain fixes for every known CVE number. |
| 67 | +
|
| 68 | +[^1]: https://www.cve.org/Media/News/item/news/2024/02/13/kernel-org-Added-as-CNA |
| 69 | +[^2]: https://wiki.linuxfoundation.org/civilinfrastructureplatform/cipkernelmaintenance |
0 commit comments