

Kpatch: Dynamic Linux kernel patching - patrickaljord
https://github.com/dynup/kpatch?hn

======
chomp
I was at the Linuxcon talk for this yesterday, here's the slides:

[http://events.linuxfoundation.org/sites/events/files/slides/...](http://events.linuxfoundation.org/sites/events/files/slides/kpatch-
linuxcon_2.pdf)

It's important to note that it's not exactly production ready, but it can work
with really simple CVEs (things that don't require changes to data structures
and such).

Because of this, kpatch needs a person to manually review the patch before
applying it, so some kernel knowledge is required to make sure that you're
making a good patch.

I do think that it'll get better as time goes on. This is a really neat
feature and brings an open source competitor to ksplice.

~~~
gue5t
That's
[http://events.linuxfoundation.org/sites/events/files/slides/...](http://events.linuxfoundation.org/sites/events/files/slides/kpatch-
linuxcon_3.pdf) now.

------
spb
How is this different from ksplice?

~~~
kapilvt
in a word. support.

as opposed to oracle overlords, who will eventually stop supporting
grandfather'd customers and only support unbreakable linux.

there's kgraft and kpatch (suse and redhat respectively), different
capabilities.

background links (kgraft/kspice)
[http://lwn.net/Articles/584016/](http://lwn.net/Articles/584016/)
[http://lwn.net/Articles/589183/](http://lwn.net/Articles/589183/)

edit.. oracle also owns patents on ksplice.

------
sam_bwut
Wait, how handy will this be for adding backdoors once you have root?

~~~
michaelmior
Patch modules can be signed so assuming you only need signed patches (which
seems reasonable) this shouldn't be too much of a concern.

