Why a ‘frozen’ distribution Linux kernel isn’t the safest choice for security
It's a compelling story and on the surface makes a lot of sense. Carefully curated software patches applied to a known Linux kernel, frozen at a specific release, would obviously seem to be preferable to the random walk of an upstream open source Linux project. But is it true? Is there data to support this ?
After a lot of hard work and data analysis by my CIQ kernel engineering colleagues Ronnie Sahlberg and Jonathan Maple, we finally have an answer to this question. It's no. The data shows that frozen" vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream stable" Linux kernel created by Greg Kroah-Hartman.
Jeremy Allison at CIQ
I mean, it kind of makes sense. The full whitepaper is available, too.