Linux kernel updates

[wognath]

In the month since jamesbond posted instructions for compiling 4.19.319 linux kernel for Fatdog, the version number at kernel.org has jumped to 4.19.322. How would I know if these are minor tweaks or significant security fixes? The changelog is incomprehensible to me.

In a security kernel upgrades item on the antiX forum, the last edit was 3 October 2022. 4.19.222 is one of the recommended kernels. So I infer that in the opinion of the antiX devs, there haven't been important kernel security issues since then.

In Fatdog, I use the same kernel for years without giving it a thought since I assume most kernel security flaws affect servers, not the home user. But in Artix, a rolling-release distro, the kernel is updated almost every week, it seems. Can someone enlighten me about how to know when updating a working kernel might be worthwhile?

[rockedge]

Can someone enlighten me about how to know when updating a working kernel might be worthwhile?

A more recent version of a kernel might make sense when you are using really newer hardware or require specific a configuration. Matching the kernel version to hardware can go both ways, with older machines using maybe a 4 or 5 series kernel and newer more powerful might benefit with a 6+ series kernel.

Otherwise, if your system works well and reliably, then there is really no reason to upgrade the kernel continuously.

I have systems that have never changed kernel. Like a 32 bit Tahr-6.0.5 still running as a local area network print server.

[bigpup]

If you want the operating system to always have the needed hardware support.

To be able to support the newest hardware, you will need to update the kernel.

No way can an older kernel, have hardware support for hardware that did not exist, when the kernel was produced.

Example:
I have a very new computer with very new hardware.
Only a series 6 Linux kernel will support it.
And only the recent series 6 versions.

So older Puppy versions, with series 4 or 5 kernels, will not even run on it.
No support for the hardware it has.

[dimkr]

Many Linux users don't read what kernel.org says and just blindly assume that Linux version follow the common semver scheme. They don't.

4.19.0 introduces new features not found in 4.18.x. Yes, 4.19 is the 'major version' and Linux doesn't have 'minor versions'. 4.19.1, 4.19.2, etc' are 'bugfix versions' that fix bugs and security issues, but don't introduce new features.

After 4.19 comes 5.0, because Linus doesn't want version numbers to reach 20. Yes, Linux 5.0 and 6.0 were not more significant than other major versions, like 4.19.0, 5.1, 5.19 or 6.1.

4.19.322 is 4.19.319 plus more bug or security fixes. If you use 4.19.x and want maximum security but no new features, update to the latest 4.19.x.

If you're using 4.19.x and want new features or support for hardware that came out after 4.19.0, update to a newer major version.

Not every device is vulnerable to all disclosed and fixed vulnerabilities, this depends on hardware, installed software, configuration, usage patterns and more, but updating periodically tends to be easier and faster than trying to decide whether or not the next update is important.

[wognath]

if your system works well and reliably, then there is really no reason to upgrade the kernel continuously.

That's what I wanted to hear!

bigpup, new hardware is not a problem here! I'm using an old computer that won't even boot with series 5 or 6 kernels (new feature: it won't boot with your hardware ). I upgraded the kernel because I thought there might be significant security improvements between 4.19.92 (latest 4. available in fatdog 810 repo) and 4.19.320.

4.19.1, 4.19.2, etc. are 'bugfix versions' that fix bugs and security issues, but don't introduce new features....4.19.322 is 4.19.319 plus more bug or security fixes. If you use 4.19.x and want maximum security but no new features, update to the latest 4.19.x..... updating periodically tends to be easier and faster than trying to decide whether or not the next update is important.

"bug or security fixes" is where my confusion lies. I want maximum security, but updating takes some effort (Fatdog makes it easy to swap the kernel, but compiling it takes hours) and I don't know how to find out if an update is important. I expect that if there appeared something like

the ‘meltdown’, ‘spectre’, ‘Foreshadow’, CVE-2019-8912, Zombieload, “SACK Panic” and BlueZ kernel vulnerabilities, plus others

there would soon be news of it in places like this forum, and patched kernels would be released. In the meantime, I'll forget the kernel and worry about something else

Thank you for the informative replies.

[dimkr]

I want maximum security, but updating takes some effort

Security and convenience, pick one

IMO updating once a month is reasonable, the risk is low if you're only updating to a later bugfix release and not to the latest kernel. No new features means very low risk of introducing new issues, while the manual process of risk assessment is very error prone.

Personally, I find it very annoying to read many long changelogs, the time it takes for me to update is much shorter than the time it takes to understand how many high severity issues affect my system. In addition, I update the entire OS, not just the kernel, and everything is automated. Therefore, it's both easier and safer to update every once in a while, without thinking too much.

EDIT: a distro with a security team and a CVE tracker can produce a list like https://security-tracker.debian.org/tra ... ase/stable but the process of checking which installed packages are vulnerable is still long