Are LTS kernels recommended for security?

Overall, should LTS kernels be preferred over the current release in order to avoid new, experimental and potentially buggy features? If so, under the assumption that one’s hardware is fully compatible with the older kernels, how many releases back should one stick with?

LTS kernels don’t always backport all security fixes, so no, LTS is not better than just sticking with the latest release. It’s not like using a beta OS, the “latest” kernel version is the latest stable release not the bleeding edge alpha/beta/whatever

4 Likes

LTS stands for Long Term Support. I’ll start with this quote from Wikipedia:

LTS applies the tenets of reliability engineering to the software development process and software release life cycle. Long-term support extends the period of software maintenance; it also alters the type and frequency of software updates (patches) to reduce the risk, expense, and disruption of software deployment, while promoting the dependability of the software. It does not necessarily imply technical support.

TLDR; LTS makes the trade off of the latest features in favor of reliability. This isn’t necessarily a security thing - critical patches will go to LTS and latest typically. Non critical patches may not get to LTS, so there may be a larger security gap technically.

With this, the benefit is that it greatly reduces the risk of unexpected changes or bugs in the latest kernel (keep in mind the kernel is still pretty high quality software). Whether or not the risk of latest vs LTS depends on your use case, For example, a server running company production software may run LTS, then it’s carefully migrated to the subsequent LTS after it’ released. For a desktop environment or everyday users, probably isn’t as big of a deal unless you’ve got strict software you need to run that greatly prefers LTS (i.e. you are running Steam Proton where valve recommends LTS).

1 Like

use latest stable (currently 6.10) wherever possible

if you really need lts I wouldn’t go further past 6.1 and use the latest one preferably (6.6)

4 Likes

In terms of security, no, you might miss out on some fixes that haven’t been backported (especially when it’s not the upstream Linux LTS kernel but custom versions with their own backports like those used by Debian, Ubuntu, Red Hat and SUSE).

But in practice, I’d say unless you think you might be a target of hacking or otherwise need to have the best security, LTS can give you the piece of mind that your OS won’t just break after an update. Particularly for servers or a PC you use for work.

A compromise could be OpenSUSE or Fedora Atomic - they use the newest kernels but allow rolling back updates if anything goes wrong.

1 Like

on this topic, I have a doubt, The latest LTS is 6.6. I just don’t get it how Ubuntu LTS is using 6.8. Do they backport patches ?

@ikelatomig
yep, this is why I can’t recommend any desktop distro that doesn’t use official kernel.org branches

take a look at this example:

4 Likes

Informative and unfortunate. I’d expect them to be negligent with random packages, but not with the kernel :frowning: . I guess it’s one more reason to recommend against Ubuntu.

10 posts were split to a new topic: Debian-based distro that has the latest kernel patches?

Really appreciate these very informative posts of yours, thanks. I guess this is yet another reason not to recommend Ubuntu.