Why Does Linux Have So Many Security Patches How Does One Keep Up 4763

In a message on Wed, 09 Nov 2005 09:53:21 -0500, wrote :

Because of modular programming and because the kernel as the very minimal 'functionality' -- just enough to do what it needs to do, the kernel and few externally visible accessible security holes (if any). 99% of the *externally* visible security problems with Linux are with various network services. These are all separate programs (generally daemons) from the kernel. They can be patched and updated on a running system and once patched or updated, the daemon can then be restarted. Unlike MS-Windows Linux does not need a reboot when system software is installed or updated. Oh, sometimes the security patch is for some random driver module, say for the foobar SCSI controller. If the machine does not have a foobar SCSI controller, but instead has a brandQ SCSI controller, security issues with the foobar SCSI controller don't effect the running kernel. Or maybe there is a security patch for RiserFS, but the server only has Ext3 file systems in use.

Yes, sometimes people are running with 'unpatched' kernels, which might have security problems, but generally these security problems are only exploitable by someone who can get onto the machine in some normal way. Many linux server machines don't even have normal user accounts at all. Or the user accounts don't have shell access or something. So long as only trustworthy users have access, the kernel problems can be deferred, particularly on a machine that must not be taken down, even briefly, except for some emergency or for very occasionally scheduled reboots, or truly *serious* kernel security issues.

The security-based kernel patches aren't being ignored as much as an intelligent security buttessment has been made and the update has been deferred. Many of the security patches for Linux are actually very minor ones and many have a low threat risk. Since the source is available, a system admin can make an intelligent decision. Also, Linux patches are applicable on a one-by-one basis (eg one package at a time), unlike MS-Windows 'service packs', which apply a whole mess of patches to a whole pile of different programs and modules, with little or not choice to pick and choose which patches to apply and which not to bother with (since the patch is not relevant to the specific machine in question).