# [Solved] When to upgrade kernel to secure home PC?

## katabami

Hi. When should I upgrade the kernel to be secure? My PC is for desktop use and I connect to the internet with DSL. Put differntly, how do you know kernel security information relevant to you?

I watch the Debian security notification page (in addition to glsa; I know glsa excludes kernel.), but that doesn't help much for gentoo or vanilla kernel. It's an old question, and I've been Linux user for more than a decade, but I'm not sure yet. ;) 

My rule was to compile the latest stable gentoo source, but some time ago I tried git kernel to bisect, and the former habit is gone.

Thanks beforehand.Last edited by katabami on Thu Sep 15, 2011 6:05 am; edited 1 time in total

----------

## mp342

I you use the latest stable gentoo source, there is a new ebuild pushed when there is a security issue.

----------

## katabami

Thanks, mp342. One "problem" there is this: suppose 2.6.40-r4 is the latest stable, and 2.6.40-r10 is the latest in the 2.6.40 series. Now comes a security fix. Then the patch is applied upon r10, right? Usually r11 won't be stable so soon, I don't know what makes it testing r10/r11, and hesitant to use it. (It seems this issue has been discussed, but I'm a secular who don't know it at all.)

But that's not much a problem; I even don't know if there're any security issues which affects me, r4, r11, or whichever. I'd like to omit unnecessary kernel compilation, but is it not recommendable in Gentoo? (I know Server users can stick to 2.6.32.)

An introduction to Gentoo newcomers in this point would be good, which'd be also good for a 7-year  user like me. ;)

----------

## mp342

Here is what I have understood about security fix :

When a security bug for a stable ebuild is discovered, a new  release of the ebuild is published (I don't know what is the base for this ebuild, last stable release or last release of the series)

This new release is stabilized within few days, I think delay depends of the severity of the security bug.

Have a look to the changelog of the ebuild you use for your kernel and search for 'security', you'll better understand.

Regards.

----------

## katabami

I didn't know that. Thanks.

But there's one thing I don't understand: Debian has released kernel security fix 4 times this year so far[1], but gentoo-sources ChangeLog doesn't have the word "security" that often. I don't know Debian and I do think this comparison is naive, but can anyone resolve my question?

[1] http://www.debian.org/security/2011/

Regards.

----------

## mp342

If debian policy haven't changed since I used it, debian use a specific version of the kernel for each stable release. When a security issue is found, they backport the fix to stable version.

With gentoo, the stable kernel version move continuously, it could explain why there are fewer security fix.

I'm not an expert in gentoo security, if someone have a better explanation.

----------

## krinn

security fix push version to stable.

so if you run a stable kernel X-r1 and the unstable is X-r10 the security fix will stabilize the X-r11 (for critical issue and it will be the -r10 one + the version bump for the fix) and then stable & unstable could be the same for a moment.

and you have less security fix vs debian because they stick to a kernel version and so need to publish far more security fix to backport them as generally a security issue found in a kernel version also affect previous versions

And it's really a non-issue for a desktop system, because from an attacker point of view, it's a weak machine as it could be kept offline a long time, reboot when the user feel the need. 

Most kernel big flaw are privilege excalation (the goal is to be root to get your computer under control), this imply an access to it, and desktop computer have limited access by nature, they also have weak ressources (slower or limited by volume bandwith on enterprise) or just slower because poor users never really get high bandwith from isp.

Additionally using high cpu or bandwith ressource from that kind of computer will be easy detected by the user -> "Why the hell i have that high ping in quakewars !"

As you see, no need to worry that much.

----------

## katabami

Thanks, mp342 and krinn. I've created a gentoo-wiki page to record it:

http://en.gentoo-wiki.com/wiki/Keeping_your_kernel_secure

Anyone please improve it.

Regards.

----------

## cach0rr0

i generally keep an eye on what the grsecurity/PaX people do

they're often the first people to find a security flaw with the latest kernel

so whenever they publish a fix, i keep an eye out, cross reference, update my kernel whenever the "official" devs have ported their own inferior fix into mainline. 

it's imperfect, but at least following grsecurity/PaX, you know of new bugs that exist fairly quickly. Cross-referencing their fixes to determine when a fix has reached mainline is a very unscientific process.

----------

