Copy Fail, Dirty Frag, and Fragnesia kernel vulnerabilities

Expanding on gentoo's recommendations:

I wonder if we should just universally accept that live patching should become part of the linux kernel? An automatic job that updates (much like some system packages in some distros) that installs (signed) live patches from upstream? Of course we would run into a problem where a malicious patch can now be distributed reliably to hundreds of thousands of machines, but we already have that at a lower level with normal application updates.

Canonical has thus far proved that it can be safe, but they're also a massive organization that is locking this feature for $200/yr for any commercial use.

It would be neat if such patches could retroactively replace tagged functions that have identical sematics so that means it would automatically get backported without extra effort from the maintainers.

> We recommend exploring ways to automate upgrading your kernel

Like, running emerge -u @world on a regular basis, or ...

/me searches

Okay, so https://wiki.gentoo.org/wiki/Live_patching exists but says,

> A note of caution: Kernel live patching is risky. Count on hard freezing or panics to become normal...

That's not encouraging.

---

Another approach: Can we make the kernel vulns less important? Has anyone had luck moving more things to run under gvisor or firecracker or such?

Clearly, the future is LLM-generated patches that get instantly vibecoded and installed on all machines without any human review. In fact, this is such a good idea that it should be illegal and impossible to run your computer without being connected to such a system. There are no other alternatives. /sarcasm

Is Gentoo an outlier or do all Linux distributions deal with this problem?