Risks of running custom kernels

Without wishing to detract anything from the individuals who put in a lot of time and effort into producing custom kernels for us lazy masses, just what exactly are the (theoretical) risks of running a custom kernel?

I say 'theoretical' because I'm not implying that anyone has malicious intent, but essentially this boils down to downloading code off the internet from an unknown source.

So really this is just an academic question for those of you who know far more than I about such things

(Again, many thanks to all of those who do produce custom kernels etc)

 

No worse than the risks of running anything else on your computer. I'm not aware of any malicious kernels out there, but there's a HUGE difference between compiling a custom kernel and rewriting chunks of it to be malicious.

Really, there's very little done when you compile a custom kernel - you're generally not writing any new code, merely changing the config to change what's included in the kernel package. It's as simple as checking things off a list and then making a sandwich while it compiles. If you're paranoid, you can ask maintainers for their .config file and then pull down and compile the kernel yourself, ensuring it's using the official kernel sources which are generally safe.

On the other hand, someone would have to rewrite the modules in the kernel source code to do malicious activity while still maintaining the appearance of working as intended - far more work than writing a simple malicious piece of code and sending it out to people.

 

Compiling from .config files introduces no more risks than what would be from a peer reviewed kernel source.

Trojaned kernel sources are very rare:

http://www.bitkeeper.com/press/2003-11-10-0001.html

 

As the OP stated, this is all academic, but just for fun.

The Q was wrt random kernel binaries, not peer reviewd kernel sources. In theory a huge difference, but in practice?

I have 0 concern when I download the source from kernel.org and compile (even with a strangers .config).

On a scale of 0-10, where 0 = power off and 10 = sending my bank info to the son of the ex PM of Uganda, I would rate loading a random kernel at < .001 .

So to the OP, yes in THEORY it's a risk, but well less than opening up your bank account info in I.E. or even thinking about using Outlook.

If you are truly paranoid, go with what casao suggested and dataway confirmed by going back to compiling yourself.

 

Insightful replies, thank you

I've used linux for several years now, but only as an end user so I figure I should start to learn some more about it.

Many thanks again

 

Compiling a kernel is relatively easy; it was one of the first things I did when I first started using Linux. If you're unsure of the provenance, download (but don't install) the custom kernel, compare the config file to the config file of a standard kernel, and if nothing is amiss, download the kernel source from kernel.org and compile using the custom config file.