Re: Checking for services to be restarted on a default Debian installation
On 20140901_2048+0200, Thijs Kinkhorst wrote:
> Hi all,
> When using APT to install security updates, by default services using the
> upgraded libraries are not restarted. Take for example openssl updates: merely
> doing apt-get update && apt-get upgrade is not enough to be safe: you also
> need to restart Apache, Postfix, ...
> Although well-trained admins will know this and take appropriate measures, not
> everyone will be aware of this. It gets even more confusting as a few packages
> implement some kind of service restarting logic, while the majority doesn't.
> I think it would help the security of the average Debian system if some tool
> to restart services after package upgrades was installed by default. There's
> "checkrestart" from debian-goodies, but since Jessie also the a bit more
> modern "needrestart" in its own package. I've been running the latter on a few
> systems for a while now and am satisfied with how it works.
> My questions to this list:
> - Do people agree that this would be something that's good to have in a
> default installation? Are there drawbacks?
I am a single user on a self admin system of three pentium hosts. I need all
the help/automation I can get to keep my systems clean and correctly configured.
Maybe there are serious drawbacks for people who have other situations, so maybe
there is no way to meet my needs, but I seriously doubt it. The problem, I think,
is that the serious sysadmin professionals would mistrust the way the details
are done if the leave it to someone else. So, I suppose, that a serious effort
should be made to *document* all the boundary and corner cases that have been
covered in the default install. Either way, I know I will muddle along never
fully understanding the nitty-gritty detail. The benefit to the people to know
is a decreased burden of helping people like me on the debian-user list.
> - If agreed, how would we approach this? I have to admit that I do not know
> who decides what is part of a default install or where this is implemented.
Paul E Condon