[PLUG] Slapper.C

Paul Heinlein heinlein at attbi.com
Wed Oct 2 13:44:11 UTC 2002 

On Tue, 1 Oct 2002, Richard Langis wrote:

> While that may be true with RH-derivitives, Debian restarts just
> about everything (even pcmcia on a laptop getting sources from the
> network, grrr) when it upgrades.
> 
> IMHO, that's the way it SHOULD be, anyway.  Why upgrade if you're
> not going to start using the upgraded packages?

I, for one, think it ought to be up to the admin, not the 
package-management system, as to when applications are forced into 
using the upgraded packages.

Take, for instance, the openssl package update. On our main Linux
login server at work (Red Hat 7.3), 136 separate packages require the
openssl dynamic libraries:

  [heinlein]$ rpm -q --whatrequires libssl.so.2 | wc -l
      136

Among them are

* mail clients: balsa, evolution, mutt, pine
* web browers: galeon, lynx
* service daemons: apache, openldap, postgresql, sendmail, squid

I like to be able to upgrade libraries as soon as the update is posted 
so that, on the one hand, clients like pine or galeon pick up the 
upgrade the next time someone launches them.

But...

But I certainly don't want mail or database access disrupted 
willy-nilly at the same time. That's silly: "I'm sorry, everyone, but 
we have to schedule a service downtime because our package manager 
wants to install some bugfixes and who knows what applications it 
will automatically choose to restart."

True, Red Hat's notice could have said something to the effect of

  You can easily discover which packages are affected by the upgrade
  to this package by querying the RPM database:

     rpm -q --whatrequires libssl.so.2
     rpm -q --whatrequires libcrypto.so.2

  As soon as possible, you'll want to restart long-running processes 
  associated with the list of packages returned by your queries.

That completely different, however, than putting such restarts into 
the hands of the package-management system. I shudder to think about 
the service disruptions...

At some point, you face two choices:

* dumb things down like Microsoft has so that every update tells the 
  admin s/he should reboot the system

* rely on the admin to know what's running on the system and what will 
  be affected by a library upgrade.

--Paul Heinlein <heinlein at attbi.com>

More information about the PLUG mailing list