On Wed, Oct 5, 2011 at 12:54 AM, Marc Deslauriers <
<email address hidden>> wrote:
> Right now, the best way we have of determining if we're a server or a
> desktop is to check if X is running. It's not ideal, and suggestions are
> welcome.
>
I think my question is suggesting that there really isn't a principled
distinction between "desktop" and "server" for things like this.
> We need a way for sysadmins to get notifications that some of the major
> automatic updates they are installing, such as openssl and the kernel,
> require services and/or the system to get restarted after a security
> update. The mechanism we have now is the reboot notification tool.
>
It's the right tool, but the correct approach is the standard one: Debian
packages should do in-place upgrades, except the kernel. With libc much work
was spent figuring out what to restart and how, and it works. openssl should
do the same thing.
> I agree that a lot of libraries can have security issues also, and in
> fact, most of the server packages will gracefully restart when they get
> security updates. For openssl, and a few other select libraries, things
> are different. Security issues in openssl usually are of importance for
> network servers, and automatically restarting all the running daemons
> isn't an option, especially since the server could be running software
> that wasn't installed from packages in the archive. In this case, the
> reboot notification indicates to the sysadmin that manual intervention
> is needed. If the sysadmin decides that nothing on his server is
> affected, he can simply remove the reboot notification file. Yes, this
> solution is far from perfect, but the alternative is to disable
> notifications completely, which is not a viable option.
Not running X doesn't mean that someone is running ssl servers, right? Why
not look for ssl servers, specifically, and only if there are ssl servers
running, call for the reboot?
On Wed, Oct 5, 2011 at 12:54 AM, Marc Deslauriers <
<email address hidden>> wrote:
> Right now, the best way we have of determining if we're a server or a
> desktop is to check if X is running. It's not ideal, and suggestions are
> welcome.
>
I think my question is suggesting that there really isn't a principled
distinction between "desktop" and "server" for things like this.
> We need a way for sysadmins to get notifications that some of the major
> automatic updates they are installing, such as openssl and the kernel,
> require services and/or the system to get restarted after a security
> update. The mechanism we have now is the reboot notification tool.
>
It's the right tool, but the correct approach is the standard one: Debian
packages should do in-place upgrades, except the kernel. With libc much work
was spent figuring out what to restart and how, and it works. openssl should
do the same thing.
> I agree that a lot of libraries can have security issues also, and in
> fact, most of the server packages will gracefully restart when they get
> security updates. For openssl, and a few other select libraries, things
> are different. Security issues in openssl usually are of importance for
> network servers, and automatically restarting all the running daemons
> isn't an option, especially since the server could be running software
> that wasn't installed from packages in the archive. In this case, the
> reboot notification indicates to the sysadmin that manual intervention
> is needed. If the sysadmin decides that nothing on his server is
> affected, he can simply remove the reboot notification file. Yes, this
> solution is far from perfect, but the alternative is to disable
> notifications completely, which is not a viable option.
Not running X doesn't mean that someone is running ssl servers, right? Why
not look for ssl servers, specifically, and only if there are ssl servers
running, call for the reboot?
Thomas