On Mon, Feb 19, 2018 at 01:23:25PM +0000, Michael Fothergill wrote: > > Checkout the debian backports suite (kindly resourcefully suggested by > Andy Smith) > Easiest thing to do when requiring a newer kernel would be to check > the backports suite, so in this case in stretch-backports we find > linux-image-amd64: > > <[5]https://packages.debian.org/stretch-backports/linux-image-amd64> > > That's a virtual package that gets you the latest real kernel > package available in that suite, which right now is > linux-image-4.14.0-0.bpo.3-amd64: > > <[6]https://packages.debian.org/stretch-backports/linux-image-amd64> > > >From there, if you look on the right you will see the Debian > changelog link > > <[7]http://ftp-master.metadata.debian.org/changelogs//main/l/linux/linux_4.14.13-1~bpo9+1_changelog> > which tells us that this corresponds to upstream release 4.14.13. > The upstream release was made on 10 January and this backports > package came on 14 January, so that's pretty swift. > > Newer kernels should be there now and there may well be one that deals > with both the meltdown and spectre vaulbnerabilities jointly. > No!!!!!!!!!!
That is not at all how the backports repository is intended to be used. I have been maintaining Debian packages for many years and I have on occasion uploaded backports of my packages. The packages in backports are not specifically supported by the security team. They are supported only by the maintainer of the package (or the uploader of the backport, as any Debain Developer can technically upload backports of any package). Security updates are nearly always handled by the security team, somtimes with the support of the package maintainer (the kernel is a good example where the maintainers do much of the heavy lifting). That said, packages in the backports repository can easily be outdated (both with respect the to the latest version in testing/unstable and with respect to security fixes in stable). Don't get me wrong, backports are immensely useful in some cases. In particular, for the kernel, backports are quite handy when you need support for newer hardware than what is available in stable. That said, users of backports must understand that part of the cost of using backports is that security fixes may be delayed, or may never arrive in backports. I understand what you are trying to advise the OP, but your reasoning is all wrong. For someone running stable, the most secure configuration is stable-only. In this particular instance it happens that there is a new upstream release available in backports that addresses the specific security vulnerability which concerns the OP. However, this is by far the case for security vulnerabilities in general. I would stronly recommend against your approach as a means to obtain proper security fixes. It will inevitably lead to the mistaken impression that a system is properly secured when it in fact may have outstanding security vulnerabilities. Regards, -Roberto -- Roberto C. Sánchez
