[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what's your Debian uptime?

On 4/17/2013 1:10 AM, Hans-J. Ullrich wrote:
> Am Mittwoch, 17. April 2013 schrieb Tixy:
>> On Tue, 2013-04-16 at 22:59 -0500, Stan Hoeppner wrote:
>>> Linux greer 3.2.6 #1 SMP Mon Feb 20 17:05:10 CST 2012 i686 GNU/Linux
>>>  22:35:31 up 412 days, 10:05,  1 user,  load average: 1.18, 0.97, 0.44
>> So you are over a year behind in installing security updates for the
>> kernel. (I know, if your machine doesn't have untrusted users and is
>> well removed or disconnected from the internet, then that doesn't really
>> matter).
> This must not be so. Look, In my case I used a self compiled kernel, with very 
> few modules. And as the only security holes have been in kernel modules, I did 
> not compile, I needed not to install a new kernel. Those modules were just not 
> existent. KISS-style. It makes things more secure!

I build all my server kernels from vanilla source.  Not only do I not
use modules, but I go a step further removing module support from the
kernel entirely.  I use SLAB instead of SLUB, and the deadline elevator.
 I build in disk/network/etc drivers along with the firmware blob.  I do
not use an init ramdisk.  All of my systems have a small boot partition
holding the kernel image, config, and map.  And I use LILO.  My kernels
are pretty lightweight, stripped of anything I can identify as unnecessary:

-rw-r--r--  1 root root 605K Feb 20  2012 System.map-3.2.6
-rw-r--r--  1 root root  38K Feb 20  2012 config-3.2.6
-rw-r--r--  1 root root 1.7M Feb 20  2012 vmlinuz-3.2.6

Normally I build new kernels about every 6 months, but I've been holding
back for a bit as 3.2.6 has been working very well, and I don't want to
get my kernel too far ahead of my userspace.  For example, the bleeding
edge XFS kernel code doesn't particularly like many years old xfsprogs.
 I'll probably bump up to 3.8.x after Wheezy finally ships.


Reply to: