Comment 15 for bug 244250

On Wed, Oct 5, 2011 at 12:54 AM, Marc Deslauriers <
<email address hidden>> wrote:

> Right now, the best way we have of determining if we're a server or a
> desktop is to check if X is running. It's not ideal, and suggestions are
> welcome.
>

I think my question is suggesting that there really isn't a principled
distinction between "desktop" and "server" for things like this.

> We need a way for sysadmins to get notifications that some of the major
> automatic updates they are installing, such as openssl and the kernel,
> require services and/or the system to get restarted after a security
> update. The mechanism we have now is the reboot notification tool.
>

It's the right tool, but the correct approach is the standard one: Debian
packages should do in-place upgrades, except the kernel. With libc much work
was spent figuring out what to restart and how, and it works. openssl should
do the same thing.

> I agree that a lot of libraries can have security issues also, and in
> fact, most of the server packages will gracefully restart when they get
> security updates. For openssl, and a few other select libraries, things
> are different. Security issues in openssl usually are of importance for
> network servers, and automatically restarting all the running daemons
> isn't an option, especially since the server could be running software
> that wasn't installed from packages in the archive. In this case, the
> reboot notification indicates to the sysadmin that manual intervention
> is needed. If the sysadmin decides that nothing on his server is
> affected, he can simply remove the reboot notification file. Yes, this
> solution is far from perfect, but the alternative is to disable
> notifications completely, which is not a viable option.

Not running X doesn't mean that someone is running ssl servers, right? Why
not look for ssl servers, specifically, and only if there are ssl servers
running, call for the reboot?

Thomas