Cleber Souza, an engineer from Canonucal who works on packaging the Linux kernel for Ubuntu, recently announced a transition to a new kernel update cycle. This new cycle, referred to as “4/2”, aims to provide regular updates that include fixes for vulnerabilities found in the kernel. These updates are planned in advance and will address urgent and critical issues.
Under the new scheme, Stable Release Updates (SRU) will be published every 4 weeks. These SRU updates will include fixes for issues identified in the Linux kernel. Two weeks after the start of the cycle, Security Updates (SU) will be published separately to address dangerous vulnerabilities and important problems. The preparation and testing of SRUs before publication will take 4 weeks, while SU updates will be completed within 2 weeks. Within the last 2 weeks of the SRU cycle, any remaining fixes for dangerous vulnerabilities and important issues will be transferred to the prepared SRU release.
This means that new versions of the kernel packages will now be released every two weeks, ensuring that the maximum delay in fixing dangerous vulnerabilities is no more than two weeks. As an example, packages with kernel version 6.2 for Ubuntu 23.04 will follow this schedule: an SRU update with fixes from the main kernel branch will be published starting on August 7, followed by an SU update with vulnerability fixes on September 4, an SRU release on September 18, and so on.
The new scheme is expected to expedite the delivery of vulnerability fixes to users and provide greater predictability in the development process. The previous three-week development cycle led to efficiency issues in addressing vulnerabilities. Users had to wait up to three weeks for the resolution of non-critical vulnerabilities, and unscheduled updates were required for critical problems, vulnerabilities, or regressions. These unscheduled updates disrupted the planned kernel update process and caused delays in their publication. Consequently, the delivery of fixes for non-critical vulnerabilities was also delayed.