Kernel security and maintenance advice needed. Recompile existing or build latest?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Kernel security and maintenance advice needed. Recompile existing or build latest?
A solution for my laptop (ACPI issues) requires compiling a kernel. I've built a kernel before but it was from a "how-to". I'm in need of advice re: maintaining a custom kernel from a security point.
My current system (Debian) comes with 3.1.0 kernel. Latest vanilla kernel is 3.1.4. I read that distros tweak kernels for their needs and it would seem logical to stay with Debian's kernel.
From security and ease of maintenance standpoint, is it better to stay with my distro kernel and just recompile every time I do an upgrade? Or should I compile the latest kernel and keep applying patches as those become available.
3.1 is good now. My question is about maintaining it in the future as security fixes come around. I'll still need to recompile (for my ACPI issue). So, is it more advisable to re-compile my distro's kernel (Debian is always a few versions behind) or, as long as I'm compiling, get the latest kernel.org kernel and keep applying patches. Wouldn't kernel.org be a step ahead on security matters than Debian? Or not necessarily?
I follow upsteam kernel.org stable kernels on my Slackware system, but Slackware doesn't have the same sort of dedicated kernel/security team setup that Debian has, so I'm not losing anything by going it alone. What I normally do is stick to updates within the latest stable series until Greg K-H makes his usual "This is the last in this series, time to move on" announcement.
I think it's going to be a case of Swings and roundabouts: You'll gain anything new from kernel.org, but lose anything that the debian guys bring to the table. For Slackware it's a no-brainer as it's no Swings and all Roundabouts. The situation with debian isn't so clear cut.
...dedicated kernel/security team setup that Debian has.
...You'll gain anything new from kernel.org, but lose anything that the debian guys bring to the table.
Since my focus is heavily on security & stability rather than performance & hardware... Two questions:
1. Would I be correct in assuming that, as long as all my hardware needs are met by my distro's kernel, I would "gain more" by staying with Debian's security team vs upstream?
2. What is the correct/recommended re-compile procedure (since I'm not a building-from-source expert): When I do an upgrade and get a new kernel, is it more advisable to go line-by-line, input my needed changes and re-compile? Or can I use the option "import/use current settings" and simply apply those to the new kernel (I'm worried that, even though importing 'current settings' is easier, it might over-ride something that Debian team did, which resulted in getting a new kernel in the first place).
1) I would think so, but I'm not a debian user and really not the best person to ask. As a generalisation, sticking with the distro maintained kernel where possible seems like a good choice, especially so if you are unsure of how to proceed..
2) If you're just updating by just a version or two then it's probably best to run an existing kernel config file through "make oldconfig". If you're going up several versions all at once then you may be better off starting from scratch, or seeing if you can beg/borrow/steal a config file from someone who has already done the hard work - Configuring a kernel from scratch is a bit of a daunting task and will eat a good deal of your time to do properly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.