From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 04:11:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF614106566C for ; Sun, 2 Oct 2011 04:11:27 +0000 (UTC) (envelope-from mike@skew.org) Received: from chilled.skew.org (chilled.skew.org [70.90.116.205]) by mx1.freebsd.org (Postfix) with ESMTP id 799E48FC0C for ; Sun, 2 Oct 2011 04:11:27 +0000 (UTC) Received: from chilled.skew.org (localhost [127.0.0.1]) by chilled.skew.org (8.14.4/8.14.4) with ESMTP id p924BPcB037384 for ; Sat, 1 Oct 2011 22:11:26 -0600 (MDT) (envelope-from mike@chilled.skew.org) Received: (from mike@localhost) by chilled.skew.org (8.14.4/8.14.4/Submit) id p924BPqn037383 for freebsd-security@freebsd.org; Sat, 1 Oct 2011 22:11:25 -0600 (MDT) (envelope-from mike) From: Mike Brown Message-Id: <201110020411.p924BPqn037383@chilled.skew.org> In-Reply-To: To: freebsd-security@freebsd.org Date: Sat, 1 Oct 2011 22:11:25 -0600 (MDT) X-Whoa: whoa. X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sun, 02 Oct 2011 10:42:04 +0000 Subject: Reasonable expectations of sysadmins (was Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 04:11:27 -0000 Chris Rees wrote: > Generally users are expected to pay attention to what is updated-- I > know this isn't always the easiest task, but blindly following > instructions is not something that is generally advocated in FreeBSD. Generally, yes. For a security advisory, though, I don't think it's unreasonable for the reader to expect that the solutions and workarounds are exactly as described, with nothing left out or assumed that every system administrator will know. Likewise, the advisory issuer surely expects that the instructions they provide *will* be very strictly followed. Based on my own experience, I did happen to realize that a reboot would probably be needed, but since one procedure in the advisory said to reboot and the other didn't, it led me to wonder if maybe there was some magic in freebsd-update that obviated the need for a reboot. Apparently there's not; it was just an oversight in the instructions. Also, sometimes things go haywire after a reboot, especially after extended uptime and updates to the kernel or core libraries, so I'm in the habit of only shutting down when necessary. So if I don't see "and then reboot" in an update procedure - and most of the time, security updates don't require it - then I don't do it.