Overall, should LTS kernels be preferred over the current release in order to avoid new, experimental and potentially buggy features? If so, under the assumption that one’s hardware is fully compatible with the older kernels, how many releases back should one stick with?
LTS kernels don’t always backport all security fixes, so no, LTS is not better than just sticking with the latest release. It’s not like using a beta OS, the “latest” kernel version is the latest stable release not the bleeding edge alpha/beta/whatever
LTS stands for Long Term Support. I’ll start with this quote from Wikipedia:
LTS applies the tenets of reliability engineering to the software development process and software release life cycle. Long-term support extends the period of software maintenance; it also alters the type and frequency of software updates (patches) to reduce the risk, expense, and disruption of software deployment, while promoting the dependability of the software. It does not necessarily imply technical support.
TLDR; LTS makes the trade off of the latest features in favor of reliability. This isn’t necessarily a security thing - critical patches will go to LTS and latest typically. Non critical patches may not get to LTS, so there may be a larger security gap technically.
With this, the benefit is that it greatly reduces the risk of unexpected changes or bugs in the latest kernel (keep in mind the kernel is still pretty high quality software). Whether or not the risk of latest vs LTS depends on your use case, For example, a server running company production software may run LTS, then it’s carefully migrated to the subsequent LTS after it’ released. For a desktop environment or everyday users, probably isn’t as big of a deal unless you’ve got strict software you need to run that greatly prefers LTS (i.e. you are running Steam Proton where valve recommends LTS).
use latest stable (currently 6.10) wherever possible
if you really need lts I wouldn’t go further past 6.1 and use the latest one preferably (6.6)
In terms of security, no, you might miss out on some fixes that haven’t been backported (especially when it’s not the upstream Linux LTS kernel but custom versions with their own backports like those used by Debian, Ubuntu, Red Hat and SUSE).
But in practice, I’d say unless you think you might be a target of hacking or otherwise need to have the best security, LTS can give you the piece of mind that your OS won’t just break after an update. Particularly for servers or a PC you use for work.
A compromise could be OpenSUSE or Fedora Atomic - they use the newest kernels but allow rolling back updates if anything goes wrong.
on this topic, I have a doubt, The latest LTS is 6.6. I just don’t get it how Ubuntu LTS is using 6.8. Do they backport patches ?
@ikelatomig
yep, this is why I can’t recommend any desktop distro that doesn’t use official kernel.org branches
take a look at this example:
- CVE-2023-0461
-
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation.
- fix authored January 3rd 2023, pushed January 4th
- kernel.org shipped it on January 14th: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.6
-
- CVE-2023-0179
-
This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
- fix authored and pushed January 11th 2023
- kernel.org shipped it January 18th: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.7
-
- Ubuntu shipped them March 2nd: USN-5912-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
- Ubuntu shipped LivePatch updates for them March 27th: LSN-0093-1: Kernel Live Patch Security Notice | Ubuntu security notices | Ubuntu
Informative and unfortunate. I’d expect them to be negligent with random packages, but not with the kernel . I guess it’s one more reason to recommend against Ubuntu.
10 posts were split to a new topic: Debian-based distro that has the latest kernel patches?
Really appreciate these very informative posts of yours, thanks. I guess this is yet another reason not to recommend Ubuntu.