POLL: How many revisions behind is acceptable for a Linux kernel?
I'm building a script that polls kernel.org and then compares the version against what we have for all of our hosts. How many revisions behind do you find acceptable to have for the Linux kernel? I'm thinking 5 would be an acceptable buffer, 3 preferable? I don't have any idea how to back those numbers up.
Reminder: versioning numbers are in the format: $major.$minor.$revision.$build
Are these development boxes or what? We still have equipment going out with 2.6.19 on them due to one of the modules on there not working very well (i.e. not at all) with anything higher.
Are these development boxes or what? We still have equipment going out with 2.6.19 on them due to one of the modules on there not working very well (i.e. not at all) with anything higher.Yeah, we want to keep them as patched as possible, but still have a bit of leeway.
It depends a lot on the purpose of the machine and the precieved risk. For a production web server I would try to stay reasonably up-to-date, but instead of just upgrading whenever a new version hits, just subscribe to some kernel security list and scan what is happening. More often then not it is the security fix you want to ugprade for, not the inclusion of yet another new webcam driver.
If you have non-trusted users with shell access, the answer is: 0. Privilege escalation is a frequent problem with Linux.
Otherwise, I'd stick with a kernel that works(tm), with remote-exploitable network driver security holes the only exception.