On Mon, Feb 19, 2018 at 01:23:25PM +0000, Michael Fothergill wrote:
> Checkout the debian backports suite (kindly resourcefully suggested by
> Andy Smith)
> Easiest thing to do when requiring a newer kernel would be to check
> the backports suite, so in this case in stretch-backports we find
> That's a virtual package that gets you the latest real kernel
> package available in that suite, which right now is
> >From there, if you look on the right you will see the Debian
> changelog link
> which tells us that this corresponds to upstream release 4.14.13.
> The upstream release was made on 10 January and this backports
> package came on 14 January, so that's pretty swift.
> Newer kernels should be there now and there may well be one that deals
> with both the meltdown and spectre vaulbnerabilities jointly.
That is not at all how the backports repository is intended to be used.
I have been maintaining Debian packages for many years and I have on
occasion uploaded backports of my packages.
The packages in backports are not specifically supported by the security
team. They are supported only by the maintainer of the package (or the
uploader of the backport, as any Debain Developer can technically upload
backports of any package).
Security updates are nearly always handled by the security team,
somtimes with the support of the package maintainer (the kernel is a
good example where the maintainers do much of the heavy lifting). That
said, packages in the backports repository can easily be outdated (both
with respect the to the latest version in testing/unstable and with
respect to security fixes in stable).
Don't get me wrong, backports are immensely useful in some cases. In
particular, for the kernel, backports are quite handy when you need
support for newer hardware than what is available in stable. That said,
users of backports must understand that part of the cost of using
backports is that security fixes may be delayed, or may never arrive in
I understand what you are trying to advise the OP, but your reasoning is
all wrong. For someone running stable, the most secure configuration is
stable-only. In this particular instance it happens that there is a new
upstream release available in backports that addresses the specific
security vulnerability which concerns the OP. However, this is by far
the case for security vulnerabilities in general.
I would stronly recommend against your approach as a means to obtain
proper security fixes. It will inevitably lead to the mistaken
impression that a system is properly secured when it in fact may have
outstanding security vulnerabilities.
Roberto C. Sánchez