7 comments

[ 2.9 ms ] story [ 30.6 ms ] thread
I was at the Linuxcon talk for this yesterday, here's the slides:

http://events.linuxfoundation.org/sites/events/files/slides/...

It's important to note that it's not exactly production ready, but it can work with really simple CVEs (things that don't require changes to data structures and such).

Because of this, kpatch needs a person to manually review the patch before applying it, so some kernel knowledge is required to make sure that you're making a good patch.

I do think that it'll get better as time goes on. This is a really neat feature and brings an open source competitor to ksplice.

How is this different from ksplice?
in a word. support.

as opposed to oracle overlords, who will eventually stop supporting grandfather'd customers and only support unbreakable linux.

there's kgraft and kpatch (suse and redhat respectively), different capabilities.

background links (kgraft/kspice) http://lwn.net/Articles/584016/ http://lwn.net/Articles/589183/

edit.. oracle also owns patents on ksplice.

Wait, how handy will this be for adding backdoors once you have root?
Patch modules can be signed so assuming you only need signed patches (which seems reasonable) this shouldn't be too much of a concern.