Linux 4.15 kernel finally released a week late, thanks to the Spectre and Meltdown CPU security bugs
The release of Linux 4.15 has been announced by Linus Torvalds, following a delay attributed to the Meltdown and Spectre CPU security flaws. As a result of those delays, Torvalds pushed out a ninth release candidate, while work on 4.15 continued.
« This obviously was not a pleasant release cycle, with the whole Meltdown/Spectre thing coming in the middle of the cycle and not really gelling with our normal release cycle. The extra two weeks were obviously mainly due to that whole timing issue, » admitted Torvalds last night.
He confirmed that there had been no other major problems to report: « After a release cycle that was unusual in so many (bad) ways, this last week was really pleasant. Quiet and small, and no last-minute panics, just small fixes for various issues.
« I never got a feeling that I’d need to extend things by yet another week, and 4.15 looks fine to me. »
However, this isn’t the end of the Spectre/Meltdown upheaval. He went on to warn: « It is worth pointing out that it’s not like we’re ‘done’ with Spectre/Meltdown.
« There is more work pending (ARM, Spectre-v1, misc details), and perhaps equally importantly, to actually get the biggest fix for the indirect branch mitigations, you need not just the kernel updates, you need to have a compiler with support for the ‘ retpoline ‘ indirect branch model. »
It’s worth pointing out once again that Linux has very little to do with either vulnerability. But given that the vast majority of the blame falls at the chip level, which cannot be fixed with patches, Linux code has to step up as the protective extra layer against what has the potential, if left unchecked, to be one of the worst vulnerabilities in computing history.
Elsewhere, this version of the kernel, the second with a six-year shelf life, seems to be largely based on getting the nitty gritty right, rather than huge, revelatory updates. At the heart of the changes are the 66 per cent (approximately) of drivers for graphics processors, input devices and networking.
As ever, where one merge window closes, another opens and Linux 4.16 is now open for contributors to get busy with.
Torvalds is hoping for an uneventful month: « Hopefully we’ll have a normal and entirely boring release cycle for 4.16. Because boring really is good. »
