Why Does Linux Have So Many Security Patches How Does One Keep Up 4764

Well, I can't imagine that if someone has a system that is so important that it needs 24-7 uptime that there is not some redundant server that can be switched over to "live" status without disruption (and, in fact, *should* be switched over every so often to make sure it really works!). But I digress....

My server in the basement currently runs Fedora Core 3 and hosts (to the outside world) my Apache websites, PureFTP ftp site, Qmail SMTP server (still chugging along with some minor tweaks since RH 7.2 days though I'm considering shifting to Postfix at next upgrade), and Squirrelmail for web access to mail while I'm away from home. Yum gets the system updated nightly via a cron job so most stuff gets updated on the fly EXCEPT the kernel updates, which stack up until I see that one of the updates is for a security fix. I then usually reboot the server, load the latest kernel that includes that fix and then "rpm -e" the other kernels (except the last one that I was running and I know worked so if the new one hoses something I can restart). This works ok for my non-mission-critical server with the obvious downside that I don't really test the new kernel before going into "production" (but usually if something is broken with the new kernel I usually know pretty soon!). My server, however, has never run more than maybe 2-3 months before some sort of security fix comes out (and please note this is not just a Fedora Core thing; I started with RH 7.2, upgraded to 7.3 a few months later, stayed 7.3 until RH 9, then moved from RH9 directly to FC3).

How exactly does a non-geek buttess the security risk of a fix? I also read what the Fedora.org site says was fixed, but usually it refers to something oblique like "fixes security vulnerability in..." and so since this stuff is all open source and people that might want to exploit *whatever* it was will be able to focus right in on the vulnerability - since it has now been highlighted for them - I just believe that all such vulnerabilities should be closed, and soon. My firewall logs show that I am getting probed on average over 150 times a day. True, 95% of that is likely to be script kiddies rooting around for the various Windows vulnerabilities, but I have no way to be sure that some of those aren't hoping to see an opportunity to pop in via some vulnerability and rootkit the machine.

It just seems irresponsible to have any machine with even 1 opening in the firewall to provide for outside access to ever have an out-of-date kernel if security patches have been released subsequent to its being put into service....