[opensuse] Re: We have finally reached Windows standards :-)
James Knott wrote:
Joachim Schrod wrote:
If a basic library used in almost all applications is updated (recent updates to libxml* or libkrb* come to mind) then you would have to restart many many services on your workstation, and also to log out and log in back, when X uses them.
When I do an update with Yast, it automagically restarts the affected services, if needed.
Is this really so? If a library that's used by your X server is updated (recently: the Kerberos library), is the X server restarted? I.e., are all users forcefully logged out, loosing all their work with all open applications? I don't use YaST, I use zypper for updates, it's automated in our infrastructure. zypper didn't restart X, and I thank the openSUSE devs that it didn't do so. I don't like loosing my work... ;-) And, frankly, I doubt that YaST will behave different and will restart my X server during update for that reason. (There were several of these shared lib updates over the last few months, btw.) There would be a some messages here on the mailing list asking why one has been forcefully logged out, otherwise; thus my doubts are grounded in empirical observable facts, and are not only personal musings. Have you assured yourself, after your YaST update, with "zypper ps", that no program uses still any of the updated libraries? Honestly, I doubt that you did so. That you're writing about doing updates with YaST without any reference to zypper shows it. If you didn't check shared library usage, and if YaST didn't restart X, you left yourself running a server with publically known exploits. Did you do your risk management properly? What will you answer to any questions from a SOX auditor? I know what I did and what I'll be able to answer... Cheersm Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Joachim Schrod wrote:
Is this really so? If a library that's used by your X server is updated (recently: the Kerberos library), is the X server restarted?
I don't recall the details. All I know is that sometimes, something is restarted. I don't use Zypper. Then again, other than ssh and imaps, I don't offer any services that are reachable from the Internet. Everything else is blocked by my firewall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2013-04-01 at 21:37 -0400, James Knott wrote:
don't offer any services that are reachable from the Internet. Everything else is blocked by my firewall.
Not when when you initiate the connection with a web browser or email. PDF holes, java, flash... - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFaUGoACgkQtTMYHG2NR9WrqQCfXG51S96cWc2RLOteGEOpAkW5 7hcAoIEzhSlZpmooE5vUGludrCyT/xkl =3vYr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday, 2013-04-01 at 21:37 -0400, James Knott wrote:
don't offer any services that are reachable from the Internet. Everything else is blocked by my firewall.
Not when when you initiate the connection with a web browser or email. PDF holes, java, flash...
All blocked by NoScript && the more complicated, but powerful 'RequestPolicy' -- which lets you decide which websites you want to allow to communicate to each other from your browse session. Also have javascript turned off in Acrobat and usually, I don't have java enabled, but occasionally I play with it. Any scripting technology is potentially unsafe, so letting script through automatically from any site is certainly a problem no matter how good they claim their sandboxes are. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2013-04-01 at 22:33 -0700, Linda Walsh wrote:
Carlos E. R. wrote:
Not when when you initiate the connection with a web browser or email. PDF holes, java, flash...
...
Any scripting technology is potentially unsafe, so letting script through automatically from any site is certainly a problem no matter how good they claim their sandboxes are.
da da da da.... that is not for all people. :-) And even if you block them routinely, and allow them only from sites you need and trust, it may happen that _they_ have been hacked unknown to them... So you better have your side of things updated and activated - not waiting a restart. Cover all fronts. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFa2L8ACgkQtTMYHG2NR9WKCACaAj2tjrCh8YXgVdpdTico5/Wt TLIAnieQHziuc0Nr6zoPZxqFeGWyUOpY =Kwd8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-02 at 03:28 +0200, Joachim Schrod wrote:
James Knott wrote:
When I do an update with Yast, it automagically restarts the affected services, if needed.
Is this really so? If a library that's used by your X server is updated (recently: the Kerberos library), is the X server restarted? I.e., are all users forcefully logged out, loosing all their work with all open applications?
No :-) No, that does not happen. If, for example, there is an update to sshd, it is restarted. Connected users are not disconnected, IIRC. This only happens for services, and not all of them. I think it is a postinstall script in the rpm package that does it, so it will work with any package manager.
I don't use YaST, I use zypper for updates, it's automated in our infrastructure. zypper didn't restart X, and I thank the openSUSE devs that it didn't do so. I don't like loosing my work... ;-)
If there is an update to X or some important application that you are using, there is a chance that it crashes. For example, libreoffice. You click something that needs a component that was not yet loaded from disk. And as you did an update, that component on disk is a different version... and LO crashes. Well, LO saves periodically your work, so you are mostly fine. But it can happen to something else. A KDE update... Never automate updates. Stop working on important things while they are applied.
Have you assured yourself, after your YaST update, with "zypper ps", that no program uses still any of the updated libraries? Honestly, I doubt that you did so. That you're writing about doing updates with YaST without any reference to zypper shows it.
Yes, YaST does not do the check, it says nothing. The "zypper ps" feature is only in zypper. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFaOn0ACgkQtTMYHG2NR9UyCACcDyY932KYUOyC5UFaXp2qiRiQ ChgAoIYWz7kn/795FGTIAu8pWPTay41k =uHIS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Carlos E. R. -
James Knott -
Joachim Schrod -
Linda Walsh