Re: GPG errors from apt update

2006-08-31 Thread Simon Valiquette 

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160


Stephen Gran un jour écriva:
>
> It sounds like the mirror is toast.  Please mail the mirror admins.
> I don't have an email address off hand, sorry, but it should be
> either on the mirrors page or the organization page of debian.org.


  Behind ftp.us.debian.org, there is actually 4 mirrors, so there is
not any specific email address about it except maybe the Debian mirror
mailing list.  Could it be a problem with only one of those mirrors?

  Here the 4 servers deserving ftp.us.debian.org if you wish to check
them individually:

ike.egr.msu.edu
archive.progeny.com
debian-mirror.mirror.umn.edu
mirrors1.kernel.org

  Could it be something about bad synchronization between those
servers?  I don't think it should happens under normal circumstances,
especially with the 2-stages mirroring scheme, but it might be worth
to verify.


Simon Valiquette
http://gulus.USherbrooke.ca

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Linux PPC)

iD8DBQFE96xfJPE+P+aMAJIRA448AJ423Wn32g6MgB6fM+yDCytZ2wiXtgCeNMkp
RkaffrOc1zYvs1gWLCQKuJQ=
=xJSd
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Stephen Gran 
This one time, at band camp, Hedges, Mark said:
> > So, will someone take this seriously?
> 
> Now I tried update again with no further changes and it is totally
> fubar:

It sounds like the mirror is toast.  Please mail the mirror admins.  I
don't have an email address off hand, sorry, but it should be either on
the mirrors page or the organization page of debian.org.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

RE: GPG errors from apt update

2006-08-31 Thread Hedges, Mark 
> So, will someone take this seriously?

Now I tried update again with no further changes and it is totally
fubar:

Failed to fetch
http://ftp.us.debian.org/debian/dists/testing/main/binary-i386/Packages.
bz2  MD5Sum mismatch
Failed to fetch
http://ftp.us.debian.org/debian/dists/testing/contrib/binary-i386/Packag
es.bz2  MD5Sum mismatch
Failed to fetch
http://ftp.us.debian.org/debian/dists/stable/main/binary-i386/Packages.g
z  MD5Sum mismatch
Failed to fetch
http://ftp.us.debian.org/debian/dists/stable/non-free/binary-i386/Packag
es.gz  MD5Sum mismatch
Failed to fetch
http://ftp.us.debian.org/debian/dists/stable/contrib/binary-i386/Package
s.gz  MD5Sum mismatch
Reading package lists... Done
W: Couldn't stat .

Does anyone know what's going on?

Mark

PLEASE IGNORE THE CORPORATE SIGNATURE BELOW.  THE PUBLIC IS THE INTENDED
RECIPIENT(S).



This email message is for the sole use of the intended recipient(s) and
may contain privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.

RE: GPG errors from apt update

2006-08-31 Thread Hedges, Mark 
 
> 
> I had debian-archive-keyring installed already.  I still get 
> the error.  But it is sporadic -- usually if I wait a few 
> hours or switch direct to klecker (or back if klecker gives 
> the error) (or to and from ftp.us and the frontiernet mirror) 
> and try update again, it is fine, without any changes to keys 
> on my part.
> 
> I realize this resembles an old issue that is easily 
> dismissed, but it is different from that problem, which was 
> reported in January and which I fixed then by installing 
> debian-archive-keyring and it worked for a long time.  
> These sporadic errors started mid-June of this year.  What's going on?

I hear you.  I have been trying to get someone to pay attention too.

To test this, I just deleted all of my keys with apt-key, removed
the debian-keyring and debian-archive-keyring packages, reinstalled
those packages (said 2006 key was imported), then tried apt-get update.

This time, the sporadic nature of the problem is clearly demonstrated.
I have ftp.us stable, testing and unstable + security stable and testing
in my sources.list.  I only got 1 error:

W: GPG error: http://ftp.us.debian.org testing Release: The following
signatures were invalid: BADSIG 010908312D230C5F Debian Archive
Automatic Signing Key (2006) <[EMAIL PROTECTED]>

But then, I tried apt-get update about 5 minutes later with NO CHANGES
and
got these erorrs:

Failed to fetch
http://ftp.us.debian.org/debian/dists/testing/main/binary-i386/PackagesI
ndex  MD5Sum mismatch
Failed to fetch
http://ftp.us.debian.org/debian/dists/testing/contrib/binary-i386/Packag
esIndex  MD5Sum mismatch
Reading package lists... Done
W: Couldn't stat source package list http://ftp.us.debian.org
testing/main Packages
(/var/lib/apt/lists/ftp.us.debian.org_debian_dists_testing_main_binary-i
386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list http://ftp.us.debian.org
testing/contrib Packages
(/var/lib/apt/lists/ftp.us.debian.org_debian_dists_testing_contrib_binar
y-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list http://ftp.us.debian.org
testing/main Packages
(/var/lib/apt/lists/ftp.us.debian.org_debian_dists_testing_main_binary-i
386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list http://ftp.us.debian.org
testing/contrib Packages
(/var/lib/apt/lists/ftp.us.debian.org_debian_dists_testing_contrib_binar
y-i386_Packages) - stat (2 No such file or directory)

So, will someone take this seriously?

Mark

PLEASE IGNORE THE CORPORATE SIGNATURE BELOW.  THE PUBLIC IS THE INTENDED
RECIPIENT(S).




This email message is for the sole use of the intended recipient(s) and
may contain privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.

Re: GPG errors from apt update

2006-08-31 Thread Robert Dobbs 



From: "Sam Morris" <[EMAIL PROTECTED]>
Date: Fri, 1 Sep 2006 00:01:03 + (UTC)

On Thu, 31 Aug 2006 11:50:44 -0700, Robert Dobbs wrote:
>
> But it does not matter.  I still get the same error on `apt-get update`:
>
> W: GPG error: http://security.debian.org stable/updates Release: The
> following signatures were invalid: BADSIG 010908312D230C5F Debian 
Archive

> Automatic Signing Key (2006) <[EMAIL PROTECTED]>
> W: GPG error: http://security.debian.org testing/updates Release: The
> following signatures were invalid: BADSIG 010908312D230C5F Debian 
Archive

> Automatic Signing Key (2006) <[EMAIL PROTECTED]>

Isn't BADSIG indicative of a bad signature rather than a missing key?


Yes, that's why it seemed like a problem with the server, and a good idea 
initially to ask on this list, but I guess no one cares.


_
Check the weather nationwide with MSN Search: Try it now!  
http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Sam Morris 
On Thu, 31 Aug 2006 11:50:44 -0700, Robert Dobbs wrote:
> That key is in debian-keyring, but was not in apt.
> 
> I had to manually add the /usr/share/keyrings/debian-keyring.* keyrings to 
> ~root/.gnupg/gpg.conf, then extract the keys and add with apt-key.
> 
> Shouldn't this be automatic?
> 
> But it does not matter.  I still get the same error on `apt-get update`:
> 
> W: GPG error: http://security.debian.org stable/updates Release: The 
> following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
> Automatic Signing Key (2006) <[EMAIL PROTECTED]>
> W: GPG error: http://security.debian.org testing/updates Release: The 
> following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
> Automatic Signing Key (2006) <[EMAIL PROTECTED]>

Isn't BADSIG indicative of a bad signature rather than a missing key?

-- 
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Robert Dobbs 



From: Daniel Leidert <[EMAIL PROTECTED]>
Date: Fri, 01 Sep 2006 01:30:51 +0200


Just install the mentioned debian-archive-keyring package and run
'apt-key update'. Probably you fetched the wrong key:

$ gpg --no-default-keyring --keyring 
/usr/share/keyrings/debian-role-keys.gpg --list-keys


does not list the 2006er archive key.


I had debian-archive-keyring installed already.  I still get the error.  But 
it is sporadic -- usually if I wait a few hours or switch direct to klecker 
(or back if klecker gives the error) (or to and from ftp.us and the 
frontiernet mirror) and try update again, it is fine, without any changes to 
keys on my part.


I realize this resembles an old issue that is easily dismissed, but it is 
different from that problem, which was reported in January and which I fixed 
then by installing debian-archive-keyring and it worked for a long time.  
These sporadic errors started mid-June of this year.  What's going on?


_
All-in-one security and maintenance for your PC.  Get a free 90-day trial!   
http://www.windowsonecare.com/trial.aspx?sc_cid=msn_hotmail



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Daniel Leidert 
Am Donnerstag, den 31.08.2006, 11:50 -0700 schrieb Robert Dobbs:
> That key is in debian-keyring, but was not in apt.

> I had to manually add the /usr/share/keyrings/debian-keyring.* keyrings to 
> ~root/.gnupg/gpg.conf, then extract the keys and add with apt-key.

There is no need to add them to root's gpg.conf. The necessary key can
be easily extracted without such an action (IMO).

> Shouldn't this be automatic?

It is. But the keyrings are in debian-archive-keyring (because the did
not make it into debian-keyring for months - no idea why).

> But it does not matter.  I still get the same error on `apt-get update`:
> 
> W: GPG error: http://security.debian.org stable/updates Release: The 
> following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
> Automatic Signing Key (2006) <[EMAIL PROTECTED]>
> W: GPG error: http://security.debian.org testing/updates Release: The 
> following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
> Automatic Signing Key (2006) <[EMAIL PROTECTED]>

Just install the mentioned debian-archive-keyring package and run
'apt-key update'. Probably you fetched the wrong key:

$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg 
--list-keys

does not list the 2006er archive key.

Regards, Daniel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?

2006-08-31 Thread Henrique de Moraes Holschuh 
On Thu, 31 Aug 2006, Sam Morris wrote:
> > You can check with 
> > 
> > # lsof +L1
> > 
> > It will show you open Files that have been
> > unlinked. If any of those are part of the upgraded
> > packages, you restart that process.
> 
> Note that this has been broken since at most Linux 2.6.8. Relying on it
> may cause you to not notice that some processes need to be restarted after
> upgrading a package containing a shared library.
> 
> 

Indeed. lsof +L1 is currently useless for detecting unlinked libraries. 

I've been using lsof | grep "path inode" to detect them for a while now.
Still, I hope the older, saner lsof +L1 behaviour can be restored soon...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Davide Prina 

ahi, ahi, ahi ... top posting ... this is bad ;-)

Robert Dobbs wrote:

I cannot do it because of my company's firewall.


you can go to a keyring site and download the key from here


Why is the key not in debian-keyring package?


key is updated each year ... but next update will be in January (I think)

Ciao
Davide

--
Dizionari: http://linguistico.sourceforge.net/wiki
Browser: http://www.mozilla.org/products/firefox
GNU/Linux User: 302090: http://counter.li.org
Non autorizzo la memorizzazione del mio indirizzo su outlook


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Robert Dobbs 

That key is in debian-keyring, but was not in apt.

I had to manually add the /usr/share/keyrings/debian-keyring.* keyrings to 
~root/.gnupg/gpg.conf, then extract the keys and add with apt-key.


Shouldn't this be automatic?

But it does not matter.  I still get the same error on `apt-get update`:

W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>
W: GPG error: http://security.debian.org testing/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>


Mark



From: Davide Prina <[EMAIL PROTECTED]>
To: debian-security@lists.debian.org
Subject: Re: GPG errors from apt update
Date: Thu, 31 Aug 2006 19:59:23 +0200

Robert Dobbs wrote:

W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian


have you update that key before?

# gpg --keyserver pgp.mit.edu --recv-keys 010908312D230C5F
# gpg --armor --export 010908312D230C5F | apt-key add -

Ciao
Davide

--
Dizionari: http://linguistico.sourceforge.net/wiki
Esci dall'illegalità: utilizza OpenOffice.org:
http://linguistico.sourceforge.net/wiki/doku.php?id=UsaOOo
Non autorizzo la memorizzazione del mio indirizzo su outlook



_
Get real-time traffic reports with Windows Live Local Search  
http://local.live.com/default.aspx?v=2&cp=42.336065~-109.392273&style=r&lvl=4&scene=3712634&trfc=1



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Robert Dobbs 

I cannot do it because of my company's firewall.

Why is the key not in debian-keyring package?

-JR



From: Davide Prina <[EMAIL PROTECTED]>
To: debian-security@lists.debian.org
Subject: Re: GPG errors from apt update
Date: Thu, 31 Aug 2006 19:59:23 +0200

Robert Dobbs wrote:

W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian


have you update that key before?

# gpg --keyserver pgp.mit.edu --recv-keys 010908312D230C5F
# gpg --armor --export 010908312D230C5F | apt-key add -

Ciao
Davide

--
Dizionari: http://linguistico.sourceforge.net/wiki
Esci dall'illegalità: utilizza OpenOffice.org:
http://linguistico.sourceforge.net/wiki/doku.php?id=UsaOOo
Non autorizzo la memorizzazione del mio indirizzo su outlook



_
Get the new Windows Live Messenger!   
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: GPG errors from apt update

2006-08-31 Thread Davide Prina 

Robert Dobbs wrote:

W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian 


have you update that key before?

# gpg --keyserver pgp.mit.edu --recv-keys 010908312D230C5F
# gpg --armor --export 010908312D230C5F | apt-key add -

Ciao
Davide

--
Dizionari: http://linguistico.sourceforge.net/wiki
Esci dall'illegalità: utilizza OpenOffice.org:
http://linguistico.sourceforge.net/wiki/doku.php?id=UsaOOo
Non autorizzo la memorizzazione del mio indirizzo su outlook

RE: GPG errors from apt update

2006-08-31 Thread Robert Dobbs 

I just got this one, too:

Failed to fetch 
http://ftp.us.debian.org/debian/dists/unstable/main/binary-i386/Packages.bz2 
 MD5Sum mismatch
Failed to fetch 
http://ftp.us.debian.org/debian/dists/unstable/non-free/binary-i386/Packages.bz2 
 MD5Sum mismatch





From: "Robert Dobbs" <[EMAIL PROTECTED]>
To: debian-security@lists.debian.org
Subject: GPG errors from apt update
Date: Thu, 31 Aug 2006 10:24:07 -0700

I get these errors trying to update my system.  Did someone hack the 
security server?


W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>
W: GPG error: http://security.debian.org testing/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>


_
Check the weather nationwide with MSN Search: Try it now!  
http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]




_
Get real-time traffic reports with Windows Live Local Search  
http://local.live.com/default.aspx?v=2&cp=42.336065~-109.392273&style=r&lvl=4&scene=3712634&trfc=1



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

GPG errors from apt update

2006-08-31 Thread Robert Dobbs 
I get these errors trying to update my system.  Did someone hack the 
security server?


W: GPG error: http://security.debian.org stable/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>
W: GPG error: http://security.debian.org testing/updates Release: The 
following signatures were invalid: BADSIG 010908312D230C5F Debian Archive 
Automatic Signing Key (2006) <[EMAIL PROTECTED]>


_
Check the weather nationwide with MSN Search: Try it now!  
http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?

2006-08-31 Thread Sam Morris 
On Thu, 31 Aug 2006 09:55:26 +0200, Rolf Kutz wrote:

> * Quoting Mikko Rapeli ([EMAIL PROTECTED]):
> 
>> On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote:
>> > Mikko Rapeli wrote:
>> > > Could Debian security advisories help a bit, since the people making the
>> > > packaging changes propably know how to make the changes effective on a
>> > > running installation too?
>> > 
>> > If there's anything special to do (e.g. kernel or glibc) we alredy add this
>> > to the DSA text.
>> 
>> Yes, that's great, but some of the non-special cases are not that
>> obvious. Should I reboot or at least restart kdm after libtiff4 update?
>> 
>> On one host I get the feeling I don't since 'lsof 2>/dev/null | grep libtiff'
>> returns nothing. Then again this would suggest, that at least kde/kdm
>> needs to be restarted:
>> 
>> # apt-cache rdepends libtiff4|grep kde
>>   kdelibs4
>>   kdegraphics-kfile-plugins
>> 
>> So which one is it?
> 
> You can check with 
> 
> # lsof +L1
> 
> It will show you open Files that have been
> unlinked. If any of those are part of the upgraded
> packages, you restart that process.
> 
> - Rolf

Note that this has been broken since at most Linux 2.6.8. Relying on it
may cause you to not notice that some processes need to be restarted after
upgrading a package containing a shared library.



I currently rely on both lsof and the psdel script I wrote, link to from
that bug report.

-- 
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?r

2006-08-31 Thread Giacomo Mulas 

On Thu, 31 Aug 2006, Hans wrote:


It's a good idea but it will not catch all cases, some apps run for days
without any user interventions, nothing garanties that the pop up will
be seen, sending an email if the popup is not didmissed after a delay
could mitigate this.


I agree it will not catch all cases, but it will catch a good deal more than
the current situation. Sending an email may help catch some more cases, but
then a process may belong to a noninteracting user who never receives/reads
email. Maybe we can also have another timer which will actually send a
SIGTERM to still running processes which need to be restarted, after the
email also went unnoticed. But then, there might be cases in which you do
know what you are doing and really don't want to interrupt the running
process (say a very long scientific calculation on a completely isolated,
dedicated computer, where security is not a problem). There is no "one size
fits all" solution.

Bye
Giacomo

--
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_

--
Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?

2006-08-31 Thread Hans 
Le jeudi 31 août 2006 à 10:08 +0200, Giacomo Mulas a écrit :
> On Wed, 30 Aug 2006, Noah Meyerhans wrote:
> 
> > workstations for which I'm responsible, and it's difficult for me to
> > make sure that the users e.g. restart firefox when we release an update.
> 
> It would be nice to agree to a convention whereas when an app gets some
> well-defined signal it ought to tell the user it needs to be restarted as
> soon as possible. 

I should not have to be the app that does the notification. This way
application need no modifications for this this work.

> Then we could add some simple logic to the postinst
> scripts for security updates using, e.g., lsof to find which processes are
> using the replaced library and send signals to them.

with this he know who is running which apps that use the old libs, no
need to notify the apps, notify the user.

"chkrestart" will tell you which old files, libraries are opened by
running processes. 

>  Ok, it's not something
> in the short term but it would be sensible in the long run. 

If it does not need any modification for the apps then it can be
implemeted faster.

> And it could
> actually work. Otherwise, another (sort of) solution would be to have the
> script identify the user that is running the process to be restarted and use
> a standardised solution to tell him/her the app ought to be restarted (e.g.
> wall on a terminal, a popup if he/she is running it on a graphical
> environment). Whaddya think?

It's a good idea but it will not catch all cases, some apps run for days
without any user interventions, nothing garanties that the pop up will
be seen, sending an email if the popup is not didmissed after a delay
could mitigate this.

Hans.

> 
> Bye
> Giacomo
> 
> -- 
> _
> 
> Giacomo Mulas <[EMAIL PROTECTED]>
> _
> 
> OSSERVATORIO ASTRONOMICO DI CAGLIARI
> Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
> 
> Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
> Tel. (UNICA): +39 070 675 4916
> _
> 
> "When the storms are raging around you, stay right where you are"
>   (Freddy Mercury)
> _
> 
> -- 
> Il messaggio e' stato analizzato alla ricerca di virus o
> contenuti pericolosi da MailScanner, ed e'
> risultato non infetto.
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?

2006-08-31 Thread Giacomo Mulas 

On Wed, 30 Aug 2006, Noah Meyerhans wrote:


workstations for which I'm responsible, and it's difficult for me to
make sure that the users e.g. restart firefox when we release an update.


It would be nice to agree to a convention whereas when an app gets some
well-defined signal it ought to tell the user it needs to be restarted as
soon as possible. Then we could add some simple logic to the postinst
scripts for security updates using, e.g., lsof to find which processes are
using the replaced library and send signals to them. Ok, it's not something
in the short term but it would be sensible in the long run. And it could
actually work. Otherwise, another (sort of) solution would be to have the
script identify the user that is running the process to be restarted and use
a standardised solution to tell him/her the app ought to be restarted (e.g.
wall on a terminal, a popup if he/she is running it on a graphical
environment). Whaddya think?

Bye
Giacomo

--
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_

--
Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: When are security updates effective?

2006-08-31 Thread Rolf Kutz 
* Quoting Mikko Rapeli ([EMAIL PROTECTED]):

> On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote:
> > Mikko Rapeli wrote:
> > > Could Debian security advisories help a bit, since the people making the
> > > packaging changes propably know how to make the changes effective on a
> > > running installation too?
> > 
> > If there's anything special to do (e.g. kernel or glibc) we alredy add this
> > to the DSA text.
> 
> Yes, that's great, but some of the non-special cases are not that
> obvious. Should I reboot or at least restart kdm after libtiff4 update?
> 
> On one host I get the feeling I don't since 'lsof 2>/dev/null | grep libtiff'
> returns nothing. Then again this would suggest, that at least kde/kdm
> needs to be restarted:
> 
> # apt-cache rdepends libtiff4|grep kde
>   kdelibs4
>   kdegraphics-kfile-plugins
> 
> So which one is it?

You can check with 

# lsof +L1

It will show you open Files that have been
unlinked. If any of those are part of the upgraded
packages, you restart that process.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]