On Wed, May 07, 2014 at 05:57:54PM +0200, Ingo Molnar wrote: > Live patching does not enter into this question, ever. The correctness > of a patch to the source does not depend on 'live patching' > considerations in any way, shape or form. > > Any mechanism that tries to blur these lines is broken by design. > > My claim is that if a patch is correct/safe in the old fashioned way, > then a fundamental principle is that a live patching subsystem must > either safely apply, or safely reject the live patching attempt, > independently from any user input.
That's a valiant goal, but it's not going to happen unless you want to rewrite Linux in Haskell. It's just not possible for a program to prove that a patch is safe to apply to a running kernel. There are way too many subtle interactions with dynamically allocated data between functions. I think the only way to achieve that is with CRIU, but it still requires a kexec or a reboot, so you lose all kernel state and it's much more disruptive. > "We think/hope it won't blow up in most cases and we automated some > checks halfways" or "the user must know what he is doing" is really > not something that I think is a good concept for something as fragile > as live patching. This is a distro tool, not a general purpose one. If distros are careful with their patch selection, it won't blow up. It's a valuable way for distros to help out sysadmins who need a hot security fix but can't reboot immediately. -- Josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/