'Moss-covered Tortoise' 2.0.40 Linux Kernel

An anonymous reader writes "KernelTrap reports that David Weinehall has released the 2.0.40 stable Linux kernel, calling it the "Moss-covered Tortoise". It earned this name by being released over 3 years after its predecessor, 2.0.39. Those still using the 2.0 kernel are recommended to upgrade for numerous reasons, including fixes to local exploits and remote information leaks. View the changelog and download the new kernel from a kernel.org mirror."

local root

[Tirel]

there was a local root exploit in 2.0.39 and it took the maintainer 3 years to fix? why the hell couldn't he just assign it someone else if he didn't have the time (I read the interview a while back).

I wonder if he feels guilty for all those boxes that got owned in the 3 years.

Though, I suppose, not many people run 2.0.x these days.

Re:local root

[IshanCaspian]

The older kernels aren't really useful for most things we associate linux with...if you need a stripped-down kernel for an embedded device, local root holes don't matter.

Re:local root

[tao]

Well, I released patch-2.0.40-pre1 (the first pre-patch for the 2.0.40-kernel) very soon after I first got to know about the exploit (in 2001), so no, I don't feel particularly guilty about this. People who still use 2.0-kernels for their machines shouldn't use them for multi-user purposes in a hostile environment (and firewall them _very_ carefully if they dare to connect them to the Internet), something I have stated publicly several times.

Of course I still include fixes for this kind of bugs when I get reports about them, but I won't rush a new 2.0-kernel when a new exploit surfaces, just a new pre-patch with the fix. If I had a broad user-base that could test every pre-patch thoroughly and provide me with feedback, the situation might've been different.

Regards: David Weinehall

Re:local root

[Viol8]

"People who still use 2.0-kernels for their machines shouldn't use them for multi-user purposes in a hostile environment "

And why not exactly? If it was good enough for this purpose 3 years ago why isn't it good enough now? And if its got so many exploits how about
you get them fixed? If you can't be bothered then let someone else do your job!

Re:local root

[tao]

The reason I recommend people not to use 2.0 in a hostile multi-user environment, is because the feedback I receive for every new release (or pre-release) of 2.0 is virtually non-existing; I think the record feedback for a release is somewhere in the vicinity of 10 users. Furthermore, no large distribution runs the 2.0-kernel any longer, thus no active auditing takes place.

Also, since any large code-rewrites is out of the question for the 2.0-series, so some things are not fixable at all.

I never said the 2.0-series has got a lot of exploits that's known to me; all known exploits are, to the best of my knowledge, fixed in 2.0.40. And I never said I didn't bother to fix them (read my post again!) I just said I won't bother rushing out a new release (as in a 2.0.41, 2.0.42, ...) if a new exploit is discovered, I only release a new pre-patch.

Regards: David Weinehall

Re:hahaha

[rjw57]

Damn you sir! Your carefully constructed criticism is the key reason Microsoft needs to tell users considering of switching. You sir have just killed this entire 'Open Source' thing -- unless we can send in the guys with black helecopters to take out /. first.

They took it!

"Moss-covered tortoise"? They borrowed my nickname for my beloved 386 SX-16 !

Re:They took it!

[Creepy+Crawler]

No no.. That would be "Rigor Mortis Tortoise"

I'm not dead yet!

[Ayanami+Rei]

That's awesome.

FYI: The local root exploits were fixed in various .40-pre patches, but they hadn't actually released a new stable version... not until after that interview a few days ago... :-)

Way to give it a kick in the ass!

Hey that's nothing...

[stefanlasiewski]

Ha, that's nothing.

This guy is still maintining the Linux 0.02 branch, and STILL hasn't released an update in over 13 years!

Re:Hey that's nothing...

[Hektor_Troy]

My favorite from that post?

"Hurd will be out in a year (or two, or next month, who knows)"

I think Duke Nuke'em Forever has some catching up to do ...

2.0 can still have its uses

[mnmn]

For machines with little RAM and extremely slow CPUs, this kernel kicks ass. If it can work beautifully on a 386-sx with 256MB hdd and 4MB Ram, (even 2mb if you push it), you can have embedded devices with slightly more ram using this kernel. If people can fit a tiny distro say on 64MB flash and let it run on 4MB ram, there are ARM MCUs with 4MB on board which you can gang up with 64MB flash and you'll have a linux box you can put in your ear.

All of a sudden QNX has another competition. Who knows the next Spirit or Opportunity might run Linux (although I'd strongly recommend them to use IBM microdrive and use kernel 2.4).

Re:2.0 can still have its uses

[nicolas.e]

although I'd strongly recommend them to use IBM microdrive

hard drives are not reliable enough for these purposes. And what's the point now that 1gb flash disks exist ? Even a normal linux distro would fit.

BTW, I think that spirit is using vxworks and not QNX.

Re:2.0 can still have its uses

[edesio]

The chances a HD survive the deceleration/impact phase of the journey are slim. Maybe, and a BIG maybe, a tape drive could survive.

Advantages of 2.0 over 2.2?

[jensend]

I'm just curious- why would one want to use 2.0 over 2.2? I understand the reasons one might want to use a kernel from before the 2.4 series on lower end or embedded devices (I installed a 2.2 kernel on a 486 laptop not all that long ago)- but I've been under the impression that 2.2 offered a lot of gains over 2.0 without being noticeably "heavier". For what things is the 2.0 kernel series more suitable than 2.2, and why?

QUIT FUCKING UP TROLLTALK

I'M GOING TO KICK YOUR ASS JIMMY O'LAMEY

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.