> On 2 Jan 2018, at 20:20, Kai Krakow <hurikha...@gmail.com> wrote: > > >> Now `emerge -n =sys-kernel/gentoo-sources-4.14.8-r1` - "This option can >> be used to update the world file without rebuilding the packages." > > I don't think this is how it works. While technically correct, the > outcome is different to what you're trying to achieve. > > >> This pins your kernel version at 4.14.8-r1 and you can update when, in >> future, you decide it's time to update your kernel, without being nagged >> about it every time a new version is release or you emerge world. > > The equal sign doesn't pin versions, at least not that I remember. > Package are pinned by slot in the world file. Coincidence may be that the > version you selected happens to be exclusively the only slot, too.
It installs exactly that version, and that exact version is recorded in the world file. $ grep -e source /var/lib/portage/world sys-kernel/gentoo-sources:4.9.34 $ > It's adequate to update your software when a security hole was fixed - on > the point. Not two or three months later... > > It gives a false impression of safety if you recommend such things. We could spend every day updating our systems - IDK about you, but I have better things to do. If the kernel devs cared to announce when they were patching exploits then we could take each one under consideration individually. But the kernel devs are secretive about kernel exploits, because they know there are literally millions of systems out there on the internet with kernels months and years old. You're right about the attack vectors, which is why I prioritise the apps and servers I run - an attacker has to get past those before it can exploit those. I updated OpenSSH and openssl the day I leaned of the HeartBleed attack for example. Meanwhile, I've seen security vulnerabilities go unfixed for literally weeks in the bug tracker, so I don't see the significance of a vulnerability an attacker is unlikely to be able to reach. The sites I visit do not make me fear my kernel being attacked via the browser. This thread is not for arguing about security, which is an old discussion and which has been done to death. Everyone has their own opinions, and I'm not going to add any more. This thread is about how to fix OP's problem, and that's what I addressed. If you install kernels by specific version, as I suggest, then you're free to update them manually as often as you wish. Stroller.
