In a statement issued on Wednesday, Jeremy Allison, Ronnie Sahlberg and Jonathan Maple said on the surface it would appear that "carefully curated software patches applied to a known Linux kernel, frozen at a specific release, would obviously seem to be preferable to the random walk of an upstream open source Linux project".

However, after a great deal of data analysis, the trio came to the inescapable conclusion that kernels that came with a commercial distribution were not preferable.

"The data shows that 'frozen' vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream “stable” Linux kernel created by Kroah-Hartman," they said.

Allison, Sahlberg and Maple have written a detailed white paper outlining their reasoning for this conclusion. CIQ produces an enterprise Linux distribution known as Rocky Linus which claims to be a drop-in replacement for CentOS, an enterprise distribution that was bought by Red Hat in 2014 and then shut down.

In June 2023, Red Hat, which is owned by IBM which bought it in 2019, tightened its grip on RHEL source code, and said it would make source code available only to its paying customers.

Rocky Linux has presented itself as an alternative to CentOS, something that takes on added significance given that CentOS 7, the last version that was put out before Red Hat's restrictions made it impossible to have a new version, reaching its end-of-life on 30 June.

CIQ is offering something called CIQ Bridge "with up to three years of additional life for CentOS 7 beyond the official EOL, covering critical security updates for CVSS scores of 7 and above".

Allison, Sahlberg and Maple said they had reached the following conclusions from their research:

• A 'frozen' vendor kernel is an insecure kernel. A vendor kernel released later in the release schedule is doubly so.
• The number of known bugs in a 'frozen' vendor kernel grows over time.
• The growth in the number of bugs even accelerates over time.
• There are too many open bugs in these kernels for it to be feasible to analyse or even classify them.

"There are still reasons you might still select a 'frozen' vendor kernel," the trio said. "One of them [is that] a vendor-defined internal kernel application binary interface doesn’t change over the lifetime of the release.

"If you are using hardware where the device driver hasn’t (or won’t, due to the attitude of the manufacturer) been submitted to the upstream Linux code tree then you may have no choice, but to use a vendor kernel.

"Having said that, the Linux kernel used by Android devices is based on the upstream kernel and also has a stable internal kernel ABI, so this isn’t an insurmountable problem.

"But thinking that you’re making a more secure choice by using a 'frozen' vendor kernel isn’t a luxury we can still afford to believe."