Linux kernel updates

For discussions about security.
Post Reply
wognath
Posts: 18
Joined: Wed Jun 30, 2021 3:13 pm
Has thanked: 6 times
Been thanked: 1 time

Linux kernel updates

Post by wognath »

In the month since jamesbond posted instructions for compiling 4.19.319 linux kernel for Fatdog, the version number at kernel.org has jumped to 4.19.322. How would I know if these are minor tweaks or significant security fixes? The changelog is incomprehensible to me.

In a security kernel upgrades item on the antiX forum, the last edit was 3 October 2022. 4.19.222 is one of the recommended kernels. So I infer that in the opinion of the antiX devs, there haven't been important kernel security issues since then.

In Fatdog, I use the same kernel for years without giving it a thought :o since I assume most kernel security flaws affect servers, not the home user. But in Artix, a rolling-release distro, the kernel is updated almost every week, it seems. Can someone enlighten me about how to know when updating a working kernel might be worthwhile?

User avatar
rockedge
Site Admin
Posts: 6543
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2749 times
Been thanked: 2624 times
Contact:

Re: Linux kernel updates

Post by rockedge »

Can someone enlighten me about how to know when updating a working kernel might be worthwhile?

A more recent version of a kernel might make sense when you are using really newer hardware or require specific a configuration. Matching the kernel version to hardware can go both ways, with older machines using maybe a 4 or 5 series kernel and newer more powerful might benefit with a 6+ series kernel.

Otherwise, if your system works well and reliably, then there is really no reason to upgrade the kernel continuously.

I have systems that have never changed kernel. Like a 32 bit Tahr-6.0.5 still running as a local area network print server.

User avatar
bigpup
Moderator
Posts: 6993
Joined: Tue Jul 14, 2020 11:19 pm
Location: Earth, South Eastern U.S.
Has thanked: 911 times
Been thanked: 1528 times

Re: Linux kernel updates

Post by bigpup »

If you want the operating system to always have the needed hardware support.

To be able to support the newest hardware, you will need to update the kernel.

No way can an older kernel, have hardware support for hardware that did not exist, when the kernel was produced.

Example:
I have a very new computer with very new hardware.
Only a series 6 Linux kernel will support it.
And only the recent series 6 versions.

So older Puppy versions, with series 4 or 5 kernels, will not even run on it.
No support for the hardware it has.

The things you do not tell us, are usually the clue to fixing the problem.
When I was a kid, I wanted to be older.
This is not what I expected :o

dimkr
Posts: 2423
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1202 times

Re: Linux kernel updates

Post by dimkr »

Many Linux users don't read what kernel.org says and just blindly assume that Linux version follow the common semver scheme. They don't.

4.19.0 introduces new features not found in 4.18.x. Yes, 4.19 is the 'major version' and Linux doesn't have 'minor versions'. 4.19.1, 4.19.2, etc' are 'bugfix versions' that fix bugs and security issues, but don't introduce new features.

After 4.19 comes 5.0, because Linus doesn't want version numbers to reach 20. Yes, Linux 5.0 and 6.0 were not more significant than other major versions, like 4.19.0, 5.1, 5.19 or 6.1.

4.19.322 is 4.19.319 plus more bug or security fixes. If you use 4.19.x and want maximum security but no new features, update to the latest 4.19.x.

If you're using 4.19.x and want new features or support for hardware that came out after 4.19.0, update to a newer major version.

Not every device is vulnerable to all disclosed and fixed vulnerabilities, this depends on hardware, installed software, configuration, usage patterns and more, but updating periodically tends to be easier and faster than trying to decide whether or not the next update is important.

wognath
Posts: 18
Joined: Wed Jun 30, 2021 3:13 pm
Has thanked: 6 times
Been thanked: 1 time

Re: Linux kernel updates

Post by wognath »

rockedge wrote:

if your system works well and reliably, then there is really no reason to upgrade the kernel continuously.

That's what I wanted to hear!

bigpup, new hardware is not a problem here! I'm using an old computer that won't even boot with series 5 or 6 kernels (new feature: it won't boot with your hardware :lol: ). I upgraded the kernel because I thought there might be significant security improvements between 4.19.92 (latest 4. available in fatdog 810 repo) and 4.19.320.

dmkr wrote:

4.19.1, 4.19.2, etc. are 'bugfix versions' that fix bugs and security issues, but don't introduce new features....4.19.322 is 4.19.319 plus more bug or security fixes. If you use 4.19.x and want maximum security but no new features, update to the latest 4.19.x..... updating periodically tends to be easier and faster than trying to decide whether or not the next update is important.

"bug or security fixes" is where my confusion lies. I want maximum security, but updating takes some effort (Fatdog makes it easy to swap the kernel, but compiling it takes hours) and I don't know how to find out if an update is important. I expect that if there appeared something like

antiX wrote:

the ‘meltdown’, ‘spectre’, ‘Foreshadow’, CVE-2019-8912, Zombieload, “SACK Panic” and BlueZ kernel vulnerabilities, plus others

:shock: there would soon be news of it in places like this forum, and patched kernels would be released. In the meantime, I'll forget the kernel and worry about something else :?

Thank you for the informative replies.

dimkr
Posts: 2423
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1202 times

Re: Linux kernel updates

Post by dimkr »

wognath wrote: Wed Sep 18, 2024 3:47 pm

I want maximum security, but updating takes some effort

Security and convenience, pick one :)

IMO updating once a month is reasonable, the risk is low if you're only updating to a later bugfix release and not to the latest kernel. No new features means very low risk of introducing new issues, while the manual process of risk assessment is very error prone.

Personally, I find it very annoying to read many long changelogs, the time it takes for me to update is much shorter than the time it takes to understand how many high severity issues affect my system. In addition, I update the entire OS, not just the kernel, and everything is automated. Therefore, it's both easier and safer to update every once in a while, without thinking too much.

EDIT: a distro with a security team and a CVE tracker can produce a list like https://security-tracker.debian.org/tra ... ase/stable but the process of checking which installed packages are vulnerable is still long

Post Reply

Return to “Security”