[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upgrading Kernels...

> I believe that this issue has caused serious doubts for many users about the 
> possibility of running a typical secure linux server with medium sysadmin 
> skills.  As I gather, running "apt-get upgrade" is not sufficient to patch a 
> vulnerable system for this exploit, meaning that the method recommended for 
> "Keeping your Debian system secure" on security.debian.org is insufficient.

Those doubts may be well-founded.  While no one should rely only on
apt and security.debian.org, it cannot be doubted that the ease of using
this mechanism lures people into a false sense of security.  The fact that
kernels are not automatically upgraded compounds the issue.

Upgrading kernels automatically, ala up2date and windows update, is
certainly a bad idea.  Even having a kernel in the "not-upgraded" output
from apt may not be obvious to all users, especially when there may be
risks involved.

Perhaps another mechanism could be devised that warns the users during
"apt-get upgrade" that an important security fix is
available and that package needs to be installed manually.  I'm thinking
something along the lines of a "critical-update" package that is
never "held back".   During installation, verbose text could be
displayed (whiptail, etc...) explaining the importance of the upgrade as
well as any caveats associated with it.  The package itself would not
install any software, only serve as a warning.

Just an idea. I apologize if this has already been discussed.

Cheers,

   Michael
Reply to: