From owner-freebsd-security@FreeBSD.ORG Mon Oct 10 20:23:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9C1D106566C for ; Mon, 10 Oct 2011 20:23:11 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5061::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5F2C58FC08 for ; Mon, 10 Oct 2011 20:23:11 +0000 (UTC) Received: from axantucar.elvandar.org (178-85-116-244.dynamic.upc.nl [178.85.116.244]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id B72A63F44F; Mon, 10 Oct 2011 22:23:09 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1244.3) From: Remko Lodder In-Reply-To: <201110020411.p924BPqn037383@chilled.skew.org> Date: Mon, 10 Oct 2011 22:23:09 +0200 Message-Id: References: <201110020411.p924BPqn037383@chilled.skew.org> To: Mike Brown X-Mailer: Apple Mail (2.1244.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Reasonable expectations of sysadmins (was Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 20:23:11 -0000 On Oct 2, 2011, at 6:11 AM, Mike Brown wrote: > Chris Rees wrote: >> Generally users are expected to pay attention to what is updated-- I >> know this isn't always the easiest task, but blindly following >> instructions is not something that is generally advocated in FreeBSD. >=20 > Generally, yes. For a security advisory, though, I don't think it's=20 > unreasonable for the reader to expect that the solutions and = workarounds are=20 > exactly as described, with nothing left out or assumed that every = system=20 > administrator will know. Likewise, the advisory issuer surely expects = that the=20 > instructions they provide *will* be very strictly followed. >=20 > Based on my own experience, I did happen to realize that a reboot = would=20 > probably be needed, but since one procedure in the advisory said to = reboot and=20 > the other didn't, it led me to wonder if maybe there was some magic in=20= > freebsd-update that obviated the need for a reboot. Apparently there's = not; it=20 > was just an oversight in the instructions. >=20 > Also, sometimes things go haywire after a reboot, especially after = extended=20 > uptime and updates to the kernel or core libraries, so I'm in the = habit of=20 > only shutting down when necessary. So if I don't see "and then reboot" = in an=20 > update procedure - and most of the time, security updates don't = require it -=20 > then I don't do it. >=20 Hi Mike, I do see the point you are mentioning and I will discuss this the next = time we (Security Team) are preparing an advisory. Thanks Remko --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes