On Tue, Oct 4, 2011 at 3:37 PM, Marc Deslauriers < [email protected]> wrote:
> Actually, we do want a reboot notification when we issue security > updates. When we issue security updates, we don't enter the major > upgrade section, as we don't want the update to automatically restart > services, but we do want the sysadmin to perform a planned > reboot/service restart as the running services will be using a > vulnerable openssl. > > I'm upload a fix to move the notification to the upgrade section instead > of the major upgrade section. No, this is fundamentally incorrect. This would be ok *only *if you had some sensible isolation between servers and clients. It is ridiculous that user workstations running no servers at all get told to reboot because of a security change to ssl. We had to engineer a whole system to prevent the reboot notifications from being honored on our workstations because the have been so sloppily and carelessly set, with incorrect reasoning like this. *Any *library could need a security update; *any *library could have a security update which is relevant to running services, and it is *not *correct to force reboots on every package install merely because *sometimes *on *some *systems it might be necessary for the security fix. We do not force reboots when firefox gets a security fix, or sh, or ... and that's the right thing. openssl is *not *different than the rest of these. Thomas -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/244250 Title: Spurious reboot notifications caused by libssl upgrades. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/244250/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
