On Wed, Oct 19, 2016, at 20:32, Alexander Schreiber wrote: > On Wed, Oct 19, 2016 at 12:51:06PM -0200, Henrique de Moraes Holschuh > wrote: > > On Tue, Oct 18, 2016, at 18:21, Florian Weimer wrote: > > > Right. Debian kernel updates can only be applied with a reboot. If > > > we publish a kernel update, its mere availability may put some of our > > > users out of compliance with their policies, which is why we batch > > > these updates. > > > > Is this correct? Really? > > Well, in certain environments I would not be surprised by a security > policy > that boils down to: "If a security patch from [authorized source] becomes > available, it must be applied to all applicable systems within [short > time]."
I was asking about the kernel team's policy. I could care less for the policies of "certain environments", they are NOT likely to be a problem: any remotely sane site with a policy that enforces a deadline to install security updates (including reboots) will also have policies on scheduling the required maintenance window for such updates, *including* what to do when the maintenance window can't be scheduled to avoid SLA violations. And that's for environments where you can't just do staggered updates, taking a set of nodes offline to update and regression-test, and bring them back to production (or rollback/abort the update should a regression be detected) without much (if any) impact to services. -- Henrique de Moraes Holschuh <[email protected]>
