In security terms, one size fits all is a poor
security policy.
Mike MacCana wrote:
Jeff Waugh wrote:
<quote who="O Plameras">
He once said, if you have a point, Hammer on that point;
Oscar, you claimed that "building kernels is required for securing
servers".
You have not backed that up. You have not provided any substantial
evidence
to suggest - particularly to the disbelieving eyes of experienced
admins on
this list - that your claim has any basis in fact.
I suggested a number of reasons why building kernels is *not*
required for
securing servers, and a number of reasons why building kernels may
actually
adversely affect your server's security.
A belief in what you've claimed is not shared by experienced
sysadmins here,
and it flies in the face of security theory, let alone practice. I'd be
interested to find out how you came to believe this - it's a
dangerous idea
that I hope is not widespread.
It is indeed a bad idea, but in my own experience the perception that
'it is better to compile your own kernel on a production server' is
widespread.
One amusing thing I note is that more people are under the impression
that compiling an entire kernel is necessary for adding a single
driver module to their systems. That's mainly the fault of Shit
Documentation (TM) than the users though.
The other thing that's worh mentioning (and more to do with security
than the point above) is that if there's a few hundred thousand people
using the exact same kernel build as you, you have the advantage on
being able to pool resources with them via your distributions bug
mechanism. Ie, more people notice more stuff more often.
Mike
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
