Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
On Wed, Oct 19, 2016, at 20:32, Alexander Schreiber wrote:
> On Wed, Oct 19, 2016 at 12:51:06PM -0200, Henrique de Moraes Holschuh
> wrote:
> > On Tue, Oct 18, 2016, at 18:21, Florian Weimer wrote:
> > > Right. Debian kernel updates can only be applied with a reboot. If
> > > we publish a kernel update, its mere availability may put some of our
> > > users out of compliance with their policies, which is why we batch
> > > these updates.
> >
> > Is this correct? Really?
>
> Well, in certain environments I would not be surprised by a security
> policy
> that boils down to: "If a security patch from [authorized source] becomes
> available, it must be applied to all applicable systems within [short
> time]."
I was asking about the kernel team's policy.
I could care less for the policies of "certain environments", they are
NOT likely to be a problem: any remotely sane site with a policy that
enforces a deadline to install security updates (including reboots) will
also have policies on scheduling the required maintenance window for
such updates, *including* what to do when the maintenance window can't
be scheduled to avoid SLA violations. And that's for environments where
you can't just do staggered updates, taking a set of nodes offline to
update and regression-test, and bring them back to production (or
rollback/abort the update should a regression be detected) without much
(if any) impact to services.
--
Henrique de Moraes Holschuh <hmh@debian.org>
Reply to:
- References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Florian Weimer <fw@deneb.enyo.de>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
- From: Alexander Schreiber <als@thangorodrim.ch>