[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Vanilla Kernel users are still on their own

Vanilla Kernel users are still on their own

Posted Sep 13, 2013 14:04 UTC (Fri) by giggls (subscriber, #48434)
Parent article: Opening up kernel security bug handling

Back in 2010 I wrote a rant in my blog about the subject:

http://blog.gegg.us/2010/09/when-running-kernel-org-kerne...

Now in 2013 I still need to decide based on phrases like "must upgrade" oder "should upgrade" if minor kernel updates are relevant for me or not.

IMO, the perfect solution would be a tool e.g. run ba a cronjob which checks a running kernels version and .config telling me if I have a kernel vulnerable to some known security related bug.

Sven

to post comments

Vanilla Kernel users are still on their own

Posted Sep 13, 2013 15:47 UTC (Fri) by dlang (guest, #313) [Link] (1 responses)

as someone who has been running the vanilla kernels in production since the 1.3 days, let me say that trying to look at phrases like "must upgrade" or "should upgrade" to decide is meaningless. There is no rigour in deciding which phrase to use, so you are trying to extract meaning where there was no meaning put there in the first place. you may as well roll dice and decide.

If you are running the vanilla kernel, you need to either plan to upgrade to every version, live with the fact that there are vulnerabilities that you haven't patched, or look at the list of patches to see if there are patches to anything that you have compiled in to your kernel (which is why you should have a minimal config so that you can ignore the vast majority of patches as not being relevant to your config)

Now, I'll point out that if you are running a distro patch, you have the exact same problem of running a system with bugs (including security bugs) that have been fixed upstream, you just don't have the ability to do anything about it. And the distro kernels are very much the opposite of the minimal config that lets you not worry about most patches, they tend to compile in every possible option.

Vanilla Kernel users are still on their own

Posted Sep 13, 2013 18:24 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

Now, I'll point out that if you are running a distro patch, you have the exact same problem of running a system with bugs (including security bugs) that have been fixed upstream, you just don't have the ability to do anything about it. And the distro kernels are very much the opposite of the minimal config that lets you not worry about most patches, they tend to compile in every possible option.

Yes, this can be a problem. In Debian we've made some attempts to reduce the attack surface while still providing features for those who want them. For example, I've patched out the module aliases for the less widely used and tested network address families so that they won't be loaded just because a user called socket(AF_VULNERABLE, ...).

Vanilla Kernel users are still on their own

Posted Sep 13, 2013 18:17 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

If you're referring to stable update announcements, the difference between 'should upgrade' and 'must upgrade' is that my script uses a less prescriptive template message than Greg. That's all there is to it.

The only time you're likely to see a different message in the announcement is when the previous stable update caused a regression for some configurations and this one fixes that single regression.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds