Upgrades per month of gcc/kernel are worth the fuss?[solved

[orange_juice]

Hallo,

I am currently learning linux through gentoo.
I have setup my desktop and I am currently building a gentoo web server.
This is a procedure that goes on for at least one year now.

I have noticed that at least once a month there are upgrades to certain programs
like gcc or binutils or others that require an "emerge -e world" procedure which -of
course- lasts (if someone wishes to do it properly) for at least 24 hours.

At the same time, there are also kernel upgrades that occur every one or two months.
The problem with the kernels is that every upgrade adds new features that are very
time consumming for someone who is not a computer expert to understand thoroughly and tackle with them
in a way that he is certain of achieving a good configuration.

The question is:

Bearing in mind that a program update needs time and in some cases
old configuration files that "do the job properly" will not work with new programs appropriately, how often a
web-site server could be updated in terms of its base programs such as gcc/kernel so that a reasonable
level of security is achieved constantly?

Kind regards,
orange_juice

[NeddySeagoon]

orange_juice,

Read the security alerts and update only when affects you.
e.g. if your kernel has a local exploit, you may not mind ... someone has to gain physical access to the PC to take advantage of it.
if apache (or your web server software) has a remote exploit, you need to fix it as soon as possible, unless its confined to a module you don't use.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[orange_juice]

NeddySeagoon,

Thank you for your prompt and sharp reply.

Would it be reliable to filter the relevant security alerts through the command:

[hjnenc]

[NeddySeagoon]

orange_juice,

glsa-check is still experimental and comes with a warning.

Get your system up to date, then read the GLSA as they are published. Update as you see the need.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[matt2kjones]

I have also been updating my webserver as and when stuff enters portage... i do an updated about twice a week.

I have been reading through the GLSA list of security issues and have noticed that there are no kernel security issues listed there for the past year... surely this is inaccurate... or am i just not searching it properly.... or many not all security issues are added?
_________________
OSST - Formally: The Linux Mirror Project
OSST - Open Source Software Downloads - Torrents for over 80 Distributions

[orange_juice]

Thank you, NeddySeagoon, I believe that the proper way is always the best way.

hjnenc,

[lnxz]

The gentoo-announce mailing list might be quite useful to you.

[orange_juice]

Thank you very much.

Kind regards
orange_juice

[orange_juice]

matt2kjones,

check this web-page, should be useful.

Kind regards,
orange_juice

[hjnenc]

[nevynxxx]

In 3 years of using Gentoo I have never upgraded anything that required an emerge -e world.

I can safely say that, because I have never typed that combination of characters in my life until this post!

There is a tool called gsla-check that can tell you of security upgrades, also there is a security mailing list that can be subscribed to.

That should do the trick.
_________________
My Public Key

Wanted: Instructor in the art of Bowyery

[orange_juice]

Indeed...

I have subscrided to the relevant mailing lists, and I should get used to refining the relevant information that match my setup. It might take some time but I believe that the result will be adequate security in an accordingly acceptable amount of time dedicated to this task.

I have "emerged -e" world when the compiler was updated or certain programs like binutils-config, gcc-config were updated. Being unsure of what would be best, I decided to recompile my programs with the new compiler. Better "safe" than sorry! If I were more experienced I could judge more accurately and this is what I am working on now!

Thank you for your help which is always welcome.

Kind regards,
orange_juice

[lnxz]

binutils/gcc-config are only scripts used to manage profiles, I believe, thus recompiling everything isn't necessary when they're updated (unless, of course, the new versions change things in a very fundamental way).

[orange_juice]

Actually, I have not finished setting up the server, thus I am adding new programs week by week. What I fear is that if these -even minor- changes to the core system programs are able to influence the fluent operation of the system; since -for example- I might have 3 different sets of programms compiled with 3 different versions of those core files.

It is more of an extreme effort to eliminate the factors that might cause an unexpected error and restrain it from happening rather than putting myself in a more difficult -for me- situation trying to resolve it after it has happened...

I lack the experience that would make me feel more "relaxed", especially if it is about a computer that will stay constantly online.

This is the reason why I am trying to figure out, how a necessity of recompiling the whole system is communicated throughout the users of gentoo. I am currently trying to get in grips with a more carefully filtered "forum scanning" and the mailing list digests. I hope this will bring some good results in the mid-term, at least!

Thank you for your help.

Kind_regards
orange_juice

[lnxz]

revdep-rebuild may help you identify breakage due to upgrading.

[orange_juice]

Indeed, lnxz...