The Linux Kernel Archives
The Linux kernel community operates a Code of Conduct based on the Contributor Covenant Code of Conduct.
Code of Conduct Committee
The Linux kernel Code of Conduct Committee is currently made up of the following people:
Committee members can be reached all at once by writing to .
Committee Reports
We would like to thank the Linux kernel community members who have supported the adoption of the Code of Conduct and who continue to uphold the professional standards of our community. If you have any questions about these reports, please write to .
December 2019
In the period of December 1, 2019 through December 30, 2019 the Committee received the following report:
The result of the investigation:
August to November 2019
In the period of August 1, 2019 through November 31, 2019, the Committee received no reports.
September 2018 to July 2019
In the period of September 15, 2018 through July 31, 2019, the Committee received the following reports:
- Inappropriate language in the kernel source: 1
- Insulting behavior in email: 3
The result of the investigations:
Other articles
The Linux Kernel Organization
The Linux Kernel Organization is a California Public Benefit Corporation established in 2002 to distribute the Linux kernel and other Open Source software to the public without charge. We are recognized by the IRS as a 501(c)3 private operating foundation.
About Linux Kernel
What is Linux?
Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance.
It has all the features you would expect in a modern fully-fledged .
Legal disclaimers and copyright
Copyright and license
Except where otherwise stated, content on this site is copyright (C) 1997-2014 by The Linux Kernel Organization, Inc. and is made available to you under the Creative Commons Attribution ShareAlike 4.0 International License.
Distributed software is copyrighted by their respective contributors and are distributed under their .
Other resources
Social
This site is operated by the Linux Kernel Organization, Inc., a 501(c)3 nonprofit corporation, with support from the following sponsors.
The Linux Kernel Archives
There are several main categories into which kernel releases may fall:
Prepatch Prepatch or «RC» kernels are mainline kernel pre-releases that are mostly aimed at other kernel developers and Linux enthusiasts. They must be compiled from source and usually contain new features that must be tested before they can be put into a stable release. Prepatch kernels are maintained and released by Linus Torvalds. Mainline Mainline tree is maintained by Linus Torvalds. It’s the tree where all new features are introduced and where all the exciting new development happens. New mainline kernels are released every 2-3 months. Stable After each mainline kernel is released, it is considered «stable.» Any bug fixes for a stable kernel are backported from the mainline tree and applied by a designated stable kernel maintainer. There are usually only a few bugfix kernel releases until next mainline kernel becomes available — unless it is designated a «longterm maintenance kernel.» Stable kernel updates are released on as-needed basis, usually once a week. Longterm There are usually several «longterm maintenance» kernel releases provided for the purposes of backporting bugfixes for older kernel trees. Only important bugfixes are applied to such kernels and they don’t usually see very frequent releases, especially for older trees.
| Version | Maintainer | Released | Projected EOL |
|---|---|---|---|
| 5.4 | Greg Kroah-Hartman & Sasha Levin | 2019-11-24 | Dec, 2025 |
| 4.19 | Greg Kroah-Hartman & Sasha Levin | 2018-10-22 | Dec, 2024 |
| 4.14 | Greg Kroah-Hartman & Sasha Levin | 2017-11-12 | Jan, 2024 |
| 4.9 | Greg Kroah-Hartman & Sasha Levin | 2016-12-11 | Jan, 2023 |
| 4.4 | Greg Kroah-Hartman & Sasha Levin | 2016-01-10 | Feb, 2022 |
Distribution kernels
Many Linux distributions provide their own «longterm maintenance» kernels that may or may not be based on those maintained by kernel developers. These kernel releases are not hosted at kernel.org and kernel developers can provide no support for them.
It is easy to tell if you are running a distribution kernel. Unless you downloaded, compiled and installed your own version of kernel from kernel.org, you are running a distribution kernel. To find out the version of your kernel, run uname -r :
If you see anything at all after the dash, you are running a distribution kernel. Please use the support channels offered by your distribution vendor to obtain kernel support.
The Linux Kernel Archives
All kernel releases are cryptographically signed using OpenPGP-compliant signatures. Everyone is strongly encouraged to verify the integrity of downloaded kernel releases by verifying the corresponding signatures.
Basic concepts
Every kernel release comes with a cryptographic signature from the person making the release. This cryptographic signature allows anyone to verify whether the files have been modified or otherwise tampered with after the developer created and signed them. The signing and verification process uses public-key cryptography and it is next to impossible to forge a PGP signature without first gaining access to the developer’s private key. If this does happen, the developers will revoke the compromised key and will re-sign all their previously signed releases with the new key.
To learn more about the way PGP works, please consult Wikipedia.
Kernel.org web of trust
PGP keys used by members of kernel.org are cross-signed by other members of the Linux kernel development community (and, frequently, by many other people). If you wanted to verify the validity of any key belonging to a member of kernel.org, you could review the list of signatures on their public key and then make a decision whether you trust that key or not. See the Wikipedia article on the subject of the Web of Trust.
Using the Web Key Directory
If the task of maintaining your own web of trust is too daunting to you, you can opt to shortcut this process by using the «Trust on First Use» (TOFU) approach and rely on the kernel.org Web Key Directory (WKD).
To import keys belonging to many kernel developers, you can use the following command:
For example, to import keys belonging to Linus Torvalds and Greg Kroah-Hartman, you would use:
This command will verify the TLS certificate presented by kernel.org before importing these keys into your keyring.
Using GnuPG to verify kernel signatures
All software released via kernel.org has detached PGP signatures you can use to verify the integrity of your downloads.
To illustrate the verification process, let’s use Linux 4.6.6 release as a walk-through example. First, use » curl» to download the release and the corresponding signature:
You will notice that the signature is made against the uncompressed version of the archive. This is done so there is only one signature required for .gz and .xz compressed versions of the release. Start by uncompressing the archive, using unxz in our case:
Now verify the .tar archive against the signature:
You can combine these steps into a one-liner:
It’s possible that you get a «No public key error»:
Please use the » gpg2 —locate-keys » command listed above to download the key for Greg Kroah-Hartman and Linus Torvalds and then try again:
To make the » WARNING» message go away you can indicate that you choose to trust that key using TOFU:
Note that you may have to pass » —trust-model tofu» the first time you run the verify command, but it should not be necessary after that.
The scripted version
If you need to perform this task in an automated environment or simply prefer a more convenient tool, you can use the following helper script to properly download and verify Linux kernel tarballs:
Please review the script before adopting it for your needs.
Important fingerprints
Here are key fingerprints for Linus Torvalds, Greg Kroah-Hartman, Sasha Levin, and Ben Hutchings, who are most likely to be releasing kernels:
| Developer | Fingerprint |
|---|---|
| Linus Torvalds | ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886 |
| Greg Kroah-Hartman | 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E |
| Sasha Levin | E27E 5D8A 3403 A2EF 6687 3BBC DEA6 6FF7 9777 2CDC |
| Ben Hutchings | AC2B 29BD 34A6 AFDD B3F6 8F35 E7BF C8EC 9586 1109 |
Please verify the TLS certificate for this site in your browser before trusting the above information.
If you get «BAD signature»
If at any time you see «BAD signature» output from » gpg2 —verify «, please first check the following first:
- Make sure that you are verifying the signature against the .tar version of the archive, not the compressed (.tar.xz) version.
- Make sure the the downloaded file is correct and not truncated or otherwise corrupted.
If you repeatedly get the same «BAD signature» output, please email helpdesk@kernel.org, so we can investigate the problem.
Kernel.org checksum autosigner and sha256sums.asc
We have a dedicated off-the-network system that connects directly to our central attached storage and calculates checksums for all uploaded software releases. The generated sha256sums.asc file is then signed with a PGP key generated for this purpose and that doesn’t exist outside of that system.
These checksums are NOT intended to replace developer signatures. It is merely a way for someone to quickly verify whether contents on one of the many kernel.org mirrors match the contents on the master mirror. While you may use them to quickly verify whether what you have downloaded matches what we have on our central storage system, you should continue to use developer signatures for best assurance.
Kernel releases prior to September, 2011
Prior to September, 2011 all kernel releases were signed automatically by the same PGP key:
Due to the kernel.org systems compromise, this key has been retired and revoked. It will no longer be used to sign future releases and you should NOT use this key to verify the integrity of any archives. It is almost certain that this key has fallen into malicious hands.
All kernel releases that were previously signed with this key were cross-checked and signed with another key, created specifically for this purpose:
The private key used for this purpose has been destroyed and cannot be used to sign any releases produced after 2011.