On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote: > > > > CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] > > > - kernel-source-2.6.11 2.6.11 2.6.11-4 > > > - kernel-source-2.6.8 2.6.8-16 > > > - kernel-source-2.4.27 2.4.27-10 > > always use the latest kernel ... from kernel.org ... > > and similarly with other important binaries from their > respective originating site > mta, apache, kernel, glib, make/gcc, bash, endless list >
Sorry, but that is horrible advice. For every app you get directly from upstream, you become directly responsible for supporting security issues. I understand that even if you use the Debian packages, you are still ultimately responsible. Not only that, but the Debian Security Team does an excellent job given the resources and situation. Woody has versions of software that were no longer support upstream when Woody shipped. That makes security support really difficult, but that doesn't mean that someone should run out and install everything from source. That sort of defeatst the purpose of a distro. As far as the kernel, even Linus Torvalds himself, IIRC, has stated that running kernels from kernel.org is not a good idea unless, 1) you are testing the kernel and/or developing on it, or 2) you are absolutely 100% certain that you know exactly what you are doing and the ramifications of that. Don't forget, that on many occasions, the release versions of the kernel have security vulnerabilites in them that are only fixed in daily snapshots and won't become officially available until the next release. Add to that the fact that the kernel developers *do not* provide proper security support. That is, if kernel x.y.z runs perfectly for you and CAN-xyzw comes out. they will fix it in the next release, which may or may not work for you. That leaves with three choices: 1) continue to run vulnerable kernel, 2) upgrade to new kernel and pray it doesn't break, 3) backport the security fix yourself. It's a lot of work either way, unless that is your full time job. That is why the Debian Security Team (and the respective teams for the other distros) spend lots of time backporting kernel security fixes with minimal disturbance to the rest of the kernel code. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
pgpxMQlLsr59k.pgp
Description: PGP signature
