Hello!

After much learning experience (and toil), I finally managed to configure a system to my likings. It is a laptop, so things were a bit more complicated.

However, I am seeing now that there are many security issues, and I feel a bit deseperate with them. I patched up my 2.6.12 kernel with all the laptop configs, only to find out that I should upgrade my kernel because of security issues. And upgrading a kernel means patching, configuring, installing, etc.

Also, I see Firefox and other applications have holes as well. So does this mean I need to run updates all the time? I am not interested in newer versions of applications, because they can many times need new configuring, just because of security issues.

Any help getting the security thing straight would be great.

Murdock

Since you didn't list which distro you're using, let's pretend it's Slackware.

Why would you need to upgrade from 2.6.12 because of security issues? You can compile that kernel with no modules, everything built in, and it should be as secure as any later version. If not, you can either get the new sources and recompile using your present .config file, or patch it. New sources is easier for me, and I like that better than patches -- but it's just personal preference. You can do this in perhaps 10 minutes or less depending upon your CPU.

For Slackware there is a ChangeLog that contains updated apps for security issues. I've linked you to Slackware-10.2, since it's the latest stable version as of this date. You could easily search and find the same for a different version.

With Slackware all you need do is get the Slackpacks from an official Slackware mirror, then upgrade your system by issuing as root "upgradepkg --install-new <packagename>" and it's done for you. Can't be easier, or work better, than that.

Thank you for the straightforward pragmatic reply.

As for upgrading because of kernel holes, here's a typical example: http://www.securityfocus.com/bid/17587
Bugs in the kernel are being patched all of the time.

So the question is how often I should recompile my kernel if I am happy with the current system?

Murdock

Please accept my apology for the reply -- I had to Google "define: pragmatic" to learn.

At the moment I can't provide a link, but believe that I've read that a kernel is not vulnerable if you compile it without modules. For instance, on my server this is the output:
Though it took using a proxy server from here, I navigated to the link you provided and read:
While there are some security issues, it seems that reading the Kernel.org Changelog will let you know if there is one that warrants a new kernel.

As for patching, configuring, installing -- I don't have those issues. For maybe 2 years I've been running 2.6 kernels, and this is all I do.

1 - download source from Kernel.org via wget to the kernel-source directory on my server
2 - cp to kernel build directory on comp on the LAN and cd to there
3 - tar -xvjf linux-2.6.16.11.tar.bz2
4 - cd ./linux-2.6.16.11
5 - make silentoldconfig (answering any changes, which you are aware of because of the Changelog previously read)
6 - make
7 - cp System.map /boot/System.map-2.6.16.11 ; ln -sf /boot/System.map-2.6.16.11 /boot/System.map
8 - make modules_install (if you have any modules, not if you don't)
9 - cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.16.11
10 - edit /etc/lilo.conf
11 - lilo
12 - reboot and enjoy shiny new Linux kernel

That is really how simple it is, and this AMD Athlon(tm) 64 Processor 3200+ has a 1M L2 cache, and runs make on full, new, virgin kernel source in about 8 minutes. So the whole process really is less than 15 minutes.

Now, on my server, I'm still running Slackware-10.1 with patched apps and a custom 2.4.31

And I tried RedHat and Debian before Slackware. Their package managers, IMO, can't compare with Slackware's pkgtool. And Pat posts patched apps, so it's really quite easy. I live in China, where bad guys on the internet rule, and in three years have had nothing hurt. I do have quite a bit of security presence, but I think that's easy for anybody willing to learn.

But it goes without saying I'm not a security expert, so I should never have replied maybe. What I do for kernels on mission critical systems is read the Changelogs. There are lots of changes that have nothing whatsoever to do with my hardware, which is basically why my server is still running a 2.4.31 kernel after all this time. You know, if it ain't broke, don't fix it.