LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How often do you upgrade your kernel? (http://www.linuxquestions.org/questions/linux-security-4/how-often-do-you-upgrade-your-kernel-770112/)

abefroman 11-18-2009 10:47 PM

How often do you upgrade your kernel?
 
How often do you upgrade your kernel?

Stéphane Ascoët 11-19-2009 12:47 AM

Almost never...
 
The one that is in my head: never...
My Linux ones: Only when I'm forced to do it(newer kernel needed by new software).

DragonSlayer48DX 11-19-2009 04:19 AM

Every three years, when I upgrade my distro.

unixfool 11-19-2009 10:39 AM

Quote:

Originally Posted by Stéphane Ascoët (Post 3762263)
The one that is in my head: never...
My Linux ones: Only when I'm forced to do it(newer kernel needed by new software).

Agreed. There have been times where I've waited 2+ years and mitigated the risk (and things were fine). This is for a server that I treat as a production machine, though its for my own use and isn't business-affiliated. For a network that is exclusively Linux though (or close to it), I'd probably have a more frequent upgrade plan.

H_TeXMeX_H 11-19-2009 01:43 PM

Quote:

Originally Posted by dragonslayer48dx (Post 3762429)
Every three years, when I upgrade my distro.

Around that. Sometimes I may have a reason to upgrade sooner, but it's rare.

mostlyharmless 11-19-2009 02:06 PM

Agree with the above, unfortunately there aren't any options for that in your poll.

AlucardZero 11-19-2009 02:43 PM

If there's a security update, I'll install it but not reboot until I have another reason for it.

i92guboj 12-01-2009 11:00 AM

The only correct answer for a machine that's connected to the net is "each time there's a new stable release". Unfortunately there's no such option in the poll, I will vote more than once a month because that's roughly every two weeks I think.

GrapefruiTgirl 12-01-2009 11:13 AM

I'm pretty much with Jesús above -- I follow the patches on kernel.org, and when one either is security related, or fixes or improves something related to my hardware (or in the case of major (?) version increases like from 2.6.30 -> 2.6.31), I generally patch up to that release and rebuild. Sometimes this means rebuilding more than once per month, and sometimes less often. I voted for option 4.

Sasha

anomie 12-01-2009 12:22 PM

Believe it or not, due to office change control procedures and/or politics, it's not always possible to perform frequent kernel upgrades. It's easy to take a hard line on this (which I agree with, BTW), but when the boss man refuses and you have a mortgage to pay, you'll likely adhere to the formal policy.

I voted "once a year". That's what it realistically is on certain production systems.

unSpawn 12-01-2009 02:23 PM

Indeed business agreements dictate different upgrade routines but for a net-facing SOHO machine to only receive updates on a yearly basis or more just does not seem right IMHO. For me personally it's within 24 hours of time of update for (almost all) machines.

abefroman 12-01-2009 02:35 PM

Quote:

Originally Posted by unSpawn (Post 3776041)
Indeed business agreements dictate different upgrade routines but for a net-facing SOHO machine to only receive updates on a yearly basis or more just does not seem right IMHO. For me personally it's within 24 hours of time of update for (almost all) machines.

Since there is at least one local level privilege escalation exploit a year that is a pretty bad move to do it only once a year or less.

I've been using fanout to run a yum update and then reboot multiple servers at once.

Then I have fanout run uname to make sure the kernel upgrade took effect. Sometimes I have to change grup, or yum has a dependency problem that needs fixing.

i92guboj 12-01-2009 03:13 PM

For workstations that don't contain anything critical you can live with the same kernel for 20 years if that's your boss' wish, but for a production machine that's exposed to the net, that's just plain wrong. If that's the boss' policy, so be it, but that doesn't make it any better.

I know you have no control over that, but it like everything wrong in life: you can ignore it or try to change it.

unSpawn 12-01-2009 03:35 PM

Quote:

Originally Posted by i92guboj (Post 3776104)
For workstations that don't contain anything critical you can live with the same kernel for 20 years

So how about machines that are not part of the critical infrastructure but may serve as springboard to other systems?..

i92guboj 12-01-2009 03:51 PM

Quote:

Originally Posted by unSpawn (Post 3776146)
So how about machines that are not part of the critical infrastructure but may serve as springboard to other systems?..

It depends on the kind of access they have to the critical systems. Anything containing sensible info should be secured as much as possible. It needs to be evaluated on a case by case basis.

In general, I never neglect any machine, even if it's function is apparently trivial.


All times are GMT -5. The time now is 12:25 PM.