SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
To my understanding, 3.10 is reaching end of life this September? https://www.kernel.org/category/releases.html according to that website. Will there be a kernel update coming out? To my understanding, doing backports into the existing kernel would go against part of Slackware's philosophy of having "vanilla" packages...right? I don't know really, thats why I have come here. If not, we will be staying on 3.10 without any updates to it?
Yes but I am referring to the stable releases. We will be stuck on 3.10.7? Isn't this bad from a security standpoint?
As previously alluded to the next stable release of Slackware(14.2) will have a kernel that is newer than 3.10.7. The development branch of Slackware (slackware-current) presently has the 4.1.16 kernel.
That's just a grossly oversimplified soundbite, not a security engineering policy.
Who's to say that tomorrow someone will announce a privilege escalation bug that was introduced in 3.10.18? This kind of thing really does happen regularly.
Your security needs depend on what threats you face, which itself depends on who you are and what your box is used for. If you're a bank, or if you're a defence contractor, you should have specialist employees who are paid to test and integrate, instead of some inflexible dumb policy that says what is "bad from a security standpoint".
For a 'capture the flag' competition, the difference between 3.10.17 and 4.1.6 is probably just a question of how long it takes to get root. But before that, an attacker needs some kind of unprivileged access, and in the real world that is more likely to depend on your browser, or simple theft of the box itself.
If you're a small business, it's worth making a test system with a new kernel (e.g. 4.1.6 from -current) before you run your production systems on it.
And if you're a nobody that mostly just browses, the biggest threat to your box is if you fluff a kernel upgrade. Best not do that too often Really. Think about it. How many threads do you see here that say "my Slackware 13.37 box got pwned"? And then how many threads do you see here that say "I tried to upgrade and now it won't boot, how do I get my system back"?
You assume that the slackware philosophy of presenting software as intended from the author (vanilla description) means that slackware has to follow a strict adherence of not back-porting security fixes. If you study how the packages are built, that is not necessarily true. I'm sure it is all situational what decision is made.
You also should realize, that back-porting fixes made 3.10.xx-stable what it is. The devs likely submitted the fixes to the kernel mainline, and someone spent their time back-porting to the supported stable branches. So it is a matter of know how, who it is, and need, if 3.10.xx gets an update. Lastly, just because a kernel is EOL according to some kernel maintainer doesn't mean it can't be secure for anyone to use.
Okay so I seem to be getting answers that seem to circumvent my question and ones that seem in denial or something. Basically that I shouldn't worry about security depending on what I am doing with the computer, although I do rely on security with what what I'm doing even if it's just a personal server for me. I'm not trying to offend anyone...
My question is simply when 3.10.7 becomes EOL, will Slackware 14.1 still use 3.10.7? will there be no update announced to vring it to another supported kernel? Or will Pat patch any possible future bugs that are discovered? That's all I am asking.
As previously alluded to the next stable release of Slackware(14.2) will have a kernel that is newer than 3.10.7. The development branch of Slackware (slackware-current) presently has the 4.1.16 kernel.
You fail to understand my question. I am asking if 14.1 users are stuck on 3.10.7. Will pat add any fixes or whatever is necessary himself in the kernel 3.10.7 for 14.1 if the issue arises? Or will 3.10.7 just be left as is on 14.1?
You assume that the slackware philosophy of presenting software as intended from the author (vanilla description) means that slackware has to follow a strict adherence of not back-porting security fixes. If you study how the packages are built, that is not necessarily true. I'm sure it is all situational what decision is made.
You also should realize, that back-porting fixes made 3.10.xx-stable what it is. The devs likely submitted the fixes to the kernel mainline, and someone spent their time back-porting to the supported stable branches. So it is a matter of know how, who it is, and need, if 3.10.xx gets an update. Lastly, just because a kernel is EOL according to some kernel maintainer doesn't mean it can't be secure for anyone to use.
Hmm I see, what bothers me is not that just because it's EOL it's no longer secure , but it's an issue arises like security or bug, will "we" who are on 14.1 receive a fix for it? As you say there have been backports in 3.10 but from the kernel developers, which exactly my point...this time around these patches would have to be done by Pat. If so, great. If not, I may need to move distros.
As you say there have been backports in 3.10 but from the kernel developers, which exactly my point...this time around these patches would have to be done by Pat. If so, great.
No, Pat does not have to write security patches. I think you misunderstand the process, and the kernel stable branch.
Quote:
If not, I may need to move distros.
OK, sure. But if they get security fixes, then everyone has them. Nothing really has changed.
It seems that users are stuck with 3.10.17 since th 14.1-release anyhow, latest is 3.10.87. I think you are better off keeping the kernel up to date yourself (except maybe running current).
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,094
Rep:
Quote:
Originally Posted by Altiris
To my understanding, 3.10 is reaching end of life this September? https://www.kernel.org/category/releases.html according to that website. Will there be a kernel update coming out? To my understanding, doing backports into the existing kernel would go against part of Slackware's philosophy of having "vanilla" packages...right? I don't know really, thats why I have come here. If not, we will be staying on 3.10 without any updates to it?
I think the previous replies have spoken to your question, but not directly.
It sounds, to me, like you are asking when will there be a new stable release of Slackware. That is, a release with a newer kernel what will run as well, with all the changes, as the present stable release.
No one knows, except Mr. Volkerding, when we will see a new stable release, but as 14.1 is just two months short of being two years old, I think we will see a new stable release in the near future.
While we are waiting, please keep in mind there have been many security updates to 14.1, some as recently as last week.
You can view those here,
Please note the kernel security update on 20 February of this year.
To change a kernel in the present stable release would be a major undertaking and it would probably break many packages, which, in turn, would need to be "fixed," which, in turn, would defeat the whole purpose of the development release known as "-current" (in my opinion).
If you need a new kernel you could build you own, many users do, but, again, it could cause complications.
You could run -current, the development branch, but, as previously pointed out, you should test it before using it for "production" purposes.
If the present stable release, 14.1, runs for you, and as you can see at the link above, it has been kept up to date with security updates, then you might consider keeping it until the next stable version becomes available. If you need support for new equipment you can trying "rolling you own" kernel as previously mentioned.
Last edited by cwizardone; 09-09-2015 at 02:09 PM.
Will pat add any fixes or whatever is necessary himself in the kernel 3.10.7 for 14.1 if the issue arises? Or will 3.10.7 just be left as is on 14.1?
Pat did issue a patch for the 3.10.7 kernel on 14.1. As the need arises he will issue patches as security issues come up. If that isn't good enough you can always install your own kernel or move up to slackware-current.
You can safely run 3.10.87, or upgrade to 3.12.47 that has a planned EOL in 2016. This should allow you to feel safe until the release of Slackware 14.2. Config files adapted to Slackware version 14.1 are provided in the mirrors, for instance here. You would just have to grab a kernel source tarball version 3.12.47 at time of writing.
Last edited by Didier Spaier; 09-09-2015 at 02:10 PM.
Pat did issue a patch for the 3.10.7 kernel on 14.1. As the need arises he will issue patches as security issues come up. If that isn't good enough you can always install your own kernel or move up to slackware-current.
That was my main question. I should have worded it as "Will Pat become the maintainer of the 3.10.x kernel for Slackware 14.1?" essentially was what I was concerned with because of how one of Slackware's goals/philosophies I think is to remain as upstream/vanilla as possible and so that COULD mean Pat wouldn't touch the 3.10.x kernel. Having confirmation from Pat or someone from the team would be helpful though. Consdering that 3.10.17 is still in use since 14.1 was released, http://www.slackware.com/announce/14.1.php I am guessing he will not be touching/maintaining the kernel? Wow, looking here https://www.kernel.org/pub/linux/ker...ngeLog-3.10.87 the 3.10 kernel goes as high as as 3.10.87? Thats a lot....so any of the bugs that have been fixed in 3.10.87 are prevent in Slackware's 3.10.17?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.