lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190611145441.GB2788@1wt.eu>
Date:   Tue, 11 Jun 2019 16:54:41 +0200
From:   Willy Tarreau <w@....eu>
To:     Öyvind Saether <oyvinds@...uxreviews.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: Why "must" we upgrade the kernels? A hint would be nice

On Tue, Jun 11, 2019 at 04:31:42PM +0200, Öyvind Saether wrote:
> All the recently released kernels have had a "All users of the
> _branch_ kernel series must upgrade." notice. It would be informative
> to have some indication as to why users "must" upgrade. The logs are
> long and do not really say if there is some urgent reason to upgrade.
> 
> Also, as I point out in my latest article about them kernels at
> https://linuxreviews.org/Mihan - it is fair to wonder if Greg just put
> that warning in a template and forgot about it since it appears to be
> attached to every single kernel-release. A warning like that gets less
> urgent each time it appears.

I'm pretty sure he keeps it on purpose and it's not a bad idea. Each time
you say someone "now you must really upgrade", you can be sure that no
other upgrades will happen. In practice the kernel is robust enough to
resist not being upgraded every week. And in the rare cases it will not
be true, you will learn about it instantly via news channels. It's also
worth reminding that what is critical to some is totally irrelevant to
others, and with the millions of users following these updates, it's
really impossible to tell which update is important and which one is
not.

Just proceed like most of us : try to stay up to date, take the opportunity
of a calm afternoon to upgrade and reboot once in a while and that's fine.
I personally do it every time my laptop runs out of juice because that's
the moment where I know I will not lose my environment again :-)

It's not uncommon to see devices shipping with thousands of bugs remaining
unfixed for 6 months or more, so you can really consider that you're
doing a good job if you're updating more often than this. A good hint is
to remember to update when you see a new major kernel issued (every 2.5
months on average). If you're on LTS and have little time available, just
pick the latest one of your branch. If you're on LTS with a bit more time,
try to upgrade to a more recent LTS branch (takes more time just because
you'll discover many new config options). If you're following -stable and
not LTS, then at this pace you can take the latest stable of the branch
just before the newly issued one. For example I upgraded my laptop to
4.19.48 this week-end. I wanted to go to 5.1 but didn't feel brave enough
to go through "make oldconfig" this time. And I won't upgrade it again
within the next month or so.

Overall it's not as if options were lacking. Just don't feel guilty and
be reasonable with your upgrades. You'll then see that the "all users
must upgrade" advice becomes an excellent reminder!

Just my two cents,
Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ