Re: Checking for services to be restarted on a default Debian installation
Long ago I started one thread about making security updates effective, so... On Mon, Sep 01, 2014 at 08:48:25PM +0200, Thijs Kinkhorst wrote: > My questions to this list: > - Do people agree that this would be something that's good to have in a > default installation? Are there drawbacks? Well, one drawback is having to trust a system running potentially vulnerable software. As Debian user I'd like to get the information on how to make updates effective also from the trusted developers and security update folks. Would be nice for DSA's to say "After updating the packages You need to restart the computer", or an optimization like need to re-login, restart browser etc, and maybe even the possibility to automatically do this, or at least prompt the user. This is what Ubuntu has managed to do, AFAIK. https://www.debian.org/security/2014/dsa-3012 "We recommend that you upgrade your eglibc packages." Updating eglibc packages is hardly enough to fix the problem. As a workaround I, and hopefully most users, know about debian-goodies and checkrestart, and figure out on their own if a reboot is necessary. -Mikko -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140901211144.gl9...@lakka.kapsi.fi
Re: Checking for services to be restarted on a default Debian installation
Thijs Kinkhorst (2014-09-01): > My questions to this list: > - Do people agree that this would be something that's good to have in > a default installation? Are there drawbacks? Having to know about debian-goodies always looked awkward to me. A dedicated, easy to identify package looks like a nice idea to me. > - If agreed, how would we approach this? I have to admit that I do not > know who decides what is part of a default install or where this is > implemented. (Hopefully the following isn't too far from reality, just had a very quick look.) That would be the standard task, defined in tasksel (tasks/standard) with “Packages: standard”, which pulls packages with that priority; FWIW that task is a bit special since it's not defined as a task-$foo package. Mraw, KiBi. signature.asc Description: Digital signature
Checking for services to be restarted on a default Debian installation
Hi all, When using APT to install security updates, by default services using the upgraded libraries are not restarted. Take for example openssl updates: merely doing apt-get update && apt-get upgrade is not enough to be safe: you also need to restart Apache, Postfix, ... Although well-trained admins will know this and take appropriate measures, not everyone will be aware of this. It gets even more confusting as a few packages implement some kind of service restarting logic, while the majority doesn't. I think it would help the security of the average Debian system if some tool to restart services after package upgrades was installed by default. There's "checkrestart" from debian-goodies, but since Jessie also the a bit more modern "needrestart" in its own package. I've been running the latter on a few systems for a while now and am satisfied with how it works. My questions to this list: - Do people agree that this would be something that's good to have in a default installation? Are there drawbacks? - If agreed, how would we approach this? I have to admit that I do not know who decides what is part of a default install or where this is implemented. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
