When are security updates effective?
Files on the file system are updated by the apt[itude] and dpkg. But
then what?
Most server packages restart the services after upgrades. Most library
and desktop application packages don't.
Should the local adm take a look at each upgrade and manually check which
files changed on the Debian installation, and based on that restart services,
programs, kick users out, jump to run level 1 and back, reboot the system
etc as suggested by Securing Debian Manual [1]?
Could Debian security advisories help a bit, since the people making the
packaging changes propably know how to make the changes effective on a
running installation too?
It seems that Ubuntu advisories already contain a nice notice which
defaults to 'you need to reboot your computer to effect the necessary changes'
[2] unless the package in question can handle upgrades and 'a standard
system upgrade is sufficient to effect the necessary changes' [3] or the
package is just an application and 'you need to restart Firefox to
effect the necessary changes' [4].
For the record, SUSE advisories also contain this kind of
instructions [5] while Fedora [7] and RedHat don't [6]. (The proprietary
up2date propably does some magic behind curtains.)
If the upgrades have a few standard ways to come effective, then
automation for them might be the next step. Has this been discussed
somewhere before?
-Mikko
[1] http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-security-update
[2] https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-August/000378.html
[3] https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-July/000375.html
[4] https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-August/000377.html
[5] http://www.novell.com/linux/security/advisories/2006_48_seamonkey.html
[6] https://rhn.redhat.com/errata/RHSA-2006-0582.html
[7] https://www.redhat.com/archives/fedora-package-announce/2006-August/msg00099.html
Reply to: