This basically means that fixes for most security vulnerabilities are not be able to be back-ported to LTS kernels but on the other side around stable releases contain all security fixes made so far.

In other words, use stable Kernels over LTS, whenever possible, assuming everything works for you and there are no specific circumstances such as working in an environment where you have no control over the Kernel - limited access etc.

  • kevincox@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    3 years ago

    CVEs are just unique IDs. It is quite a stretch to go from “LTS kernels don’t track fixes by CVE” to “most security vulnerabilities are not be able to be back-ported to LTS kernels”.

    Of course bad tracking is concerning and make it harder to verify, but you need more evidence to show that they actually aren’t getting fixed.

    • CHEF-KOCH@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      3 years ago

      I think I provided enough evidence to support this. I expected more as counter arguments that newer features in newer kernels can increase attack surface but this is all what there is on counter arguments.

      Examples that are not in LTS are Lockdown LSM, STACKLEAK GCC plugin + Spectrev2.

      • kevincox@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        Missing hardening features is very different than missing fixes. I would expect that LTS kernels don’t get new major features such as hardening changes even if they “improve security”.

        • CHEF-KOCH@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          arrow-down
          6
          ·
          edit-2
          3 years ago

          The point is that what you call hardening features can help to address known vulnerabilities. This will increase security one way or another.

          Now bring evidence that I am wrong, whops there is none.

          • kevincox@lemmy.ml
            link
            fedilink
            arrow-up
            4
            ·
            3 years ago

            Sure. I agree with “Prefer stable kernels because they have the latest security harderning”. I was just disagreeing with “most security vulnerabilities are not be able to be back-ported to LTS kernels”.

            Now bring evidence that I am wrong

            Haha. Good joke. Not worth responding to.

  • isleofmist@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    In other words, use stable Kernels over LTS, whenever possible

    I think this is generally good advice, not just for security. Latest stable kernel is usually more stable and less buggy than the latest LTS.