On 4/17/2013 1:10 AM, Hans-J. Ullrich wrote: > Am Mittwoch, 17. April 2013 schrieb Tixy: >> On Tue, 2013-04-16 at 22:59 -0500, Stan Hoeppner wrote: >>> Linux greer 3.2.6 #1 SMP Mon Feb 20 17:05:10 CST 2012 i686 GNU/Linux >>> >>> 22:35:31 up 412 days, 10:05, 1 user, load average: 1.18, 0.97, 0.44 >> >> So you are over a year behind in installing security updates for the >> kernel. (I know, if your machine doesn't have untrusted users and is >> well removed or disconnected from the internet, then that doesn't really >> matter). > > This must not be so. Look, In my case I used a self compiled kernel, with > very > few modules. And as the only security holes have been in kernel modules, I > did > not compile, I needed not to install a new kernel. Those modules were just > not > existent. KISS-style. It makes things more secure!
I build all my server kernels from vanilla source. Not only do I not use modules, but I go a step further removing module support from the kernel entirely. I use SLAB instead of SLUB, and the deadline elevator. I build in disk/network/etc drivers along with the firmware blob. I do not use an init ramdisk. All of my systems have a small boot partition holding the kernel image, config, and map. And I use LILO. My kernels are pretty lightweight, stripped of anything I can identify as unnecessary: -rw-r--r-- 1 root root 605K Feb 20 2012 System.map-3.2.6 -rw-r--r-- 1 root root 38K Feb 20 2012 config-3.2.6 -rw-r--r-- 1 root root 1.7M Feb 20 2012 vmlinuz-3.2.6 Normally I build new kernels about every 6 months, but I've been holding back for a bit as 3.2.6 has been working very well, and I don't want to get my kernel too far ahead of my userspace. For example, the bleeding edge XFS kernel code doesn't particularly like many years old xfsprogs. I'll probably bump up to 3.8.x after Wheezy finally ships. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/516e6535.7030...@hardwarefreak.com