Re: debian kernel
Ivan Glushkov wrote:
> I want to compile the newest (2.6.21.5) kernel on my Debian lenny
This is a little dated now that Etch has released, it was written for
Sarge, but it is still very good recommended reading for building
kernels on Debian. I offer it as additional reference.
http://newbiedoc.sourceforge.net/system/kernel-pkg.html
> Centrino laptop. In http://kernel-handbook.alioth.debian.org (2.2) is
> stated that the kernel offered in Debian repository is:
>
> "obtained by taking the source from linux-major_version.orig.tar.gz
> (that is, pristine kernel source, processed by the prune-non-free
> script) and applying a set of Debian patches. These patches typically
> implement essential fixes for serious bugs and security holes."
>
> Are the essential fixes supplied by the debian patches the same as the
> kernel.org ones,
Generally the patches indicated there are security fixes into the
stable kernel. The stable kernel in Etch is now at 2.6.18 and will
remain so throughout the stable release lifetime. As critical
problems are found they will be added as patches to that kernel.
For the most part if you are building the very latest pristine kernel
from kernel.org then you won't need the Debian security patches
because they would mostly be already in the new kernel.
However Debian patches have in the past also included new features
that were not in the mainstream kernel.org kernel. Usually they
appeared in other well known kernel branches. For example previous
Debian patches included the ability to use a compressed initrd
(initial ramdisk) at boot time. This is now standard in the upstream
kernel.org kernel. I am not current on the present state of the
Debian patches and so can't comment on whether a particular feature
you need will be there or not. You might as well try it and worry
about it only if it fails for you.
For example, IIRC and other caveats since I am not current on this
info, the encrypted filesystem supported was previously supplied as
patched modules loaded in the initrd. This required both an mkinitrd
that was programmed with the knowledge of encrypted filesystems and
the modules to be present for that kernel. If special patched
features such as these were used then trying to boot a kernel without
the patched in support for that feature would fail. But for a fairly
generic system with a fairly generic installation a pristine
kernel.org kernel can certainly be compiled without any patches and
work fine. A large population of Linux users only use upstream
kernels from kernel.org.
The summary of my comments is that generally the pristine kernel.org
kernel should always be okay. Unless you are using a special feature
that has been added in as a patch in which case you will need that
feature patched in of course.
> or it is simply coincidence that the latest version number of the
> kernel.org kernel (2.6.21.5) and the debian one (2.6.21-5) are the
> same? And if not, can I apply them to my kernel.org kernel?
In most cases you should be able apply the Debian patches directly to
the kernel.org kernel. Since the patch tree that you are looking at
is matching the kernel version it should be okay.
> In the end which approach will give me the kernel with the latest
> security patches?
Today? Tomorrow? Or next week? If you build your own kernel from
the upstream sources *you* become the distributor of it and will need
to keep aware of security issues relating to it. The security of the
kernel is directly dependent of your ability to keep aware of issues
and to react to them.
For concerns about security I recommend the Debian Stable kernel
currently Etch. This is 2.6.18 in Etch and it includes security
upgrades as they become available. This provides a large benefit
because of the shared team of people who help out with that kernel.
Bob
Reply to: