[vox-tech] debian kernel security updates

Rick Moen vox-tech@lists.lugod.org
Fri, 5 Mar 2004 00:00:14 -0800


Quoting Charles McLaughlin (cmclaughlin@ucdavis.edu):

> If you run Debian Woody or maybe even Testing and have your sources.list 
> setup for security updates, does "apt-get dist-upgrade" update to the 
> most recent stable kernel-image?

Maybe.  

First thing:  Do you even have a kernel-image*.deb package installed?[1]
By default, the installer used through woody doesn't:  You get a copy of
the installer's own kernel put in your /boot directory, but it's not
registered in the package database.  (It's intended that you'd
immediately apt-get some kernel _appropriate_ to your CPU/motherboard,
but most people don't figure that out.)  This will not be the case
starting with the new installer (now in beta).

So, if you've installed, say, the "kernel-image-2.4.18-1-686-smp"
package available from the stable collection, then the Security Team
guarantees that it will keep patched upgrade versions of that package
in its apt-gettable archive, the one you track by including...

deb http://security.debian.org stable/updates main contrib non-free
...in your sources.list.  That's the Security Team's primary task --
producing packages with backported security fixes that are versioned so
as to upgrade smoothly from standard stable-branch packages already
issued.

If you're on the stable branch, but are using a kernel you acquired some
other way, from some other sort of package source, then automatic
acquisition of patched kernels in that fashion probably won't work.

If you're on the testing branch, the Security Team doesn't promise to
keep you updated, but they do publish quite a lot of security-fix
packages for that branch.  Making sure your system actually gets all the
security fixes it needs is up to you to ensure:  You should subscribe to
the security-alert mailing list, read the occasional Debian Security
Advisories (DSAs) it sends you, and take whatever corrective action
seems best for advisories relevant to your system.

[1] Do "dpkg -l | grep kernel-image".

-- 
Cheers,                                Bad Unabomber!
Rick Moen                              Blowing people all to hell.
rick@linuxmafia.com                    Do you take requests?
               --  Unabomber Haiku Contest, CyberLaw mailing list