Just to add to this idea, we shouldn't have time-outs or other draconian things. I would hate for working systems to break arbitrarily. The package system could simply do what Windows (OH NO) does and searches for 'critical updates'. (Not Microsoft's idea of critical, but actual problems related to security). I don't think this is too great, as automatically upgrading packages in general is not reliable.

The big problem is that security updates and feature updates are intertwined. Maybe authors should be made to release compatible updates to all versions or at least distribution maintainers should. I think that quite unlikely. Such is the bane of open source, where you can't force upgrades like commercial software attempts to. (And what time outs suggest to do.) It would be nice if people kept with the latest version, but most software appears to work well enough to ignore updates. That is the good thing about open source from the individual admin's point of view.

Another idea would be to have lists of OK versions of the software on a central server, but revoke exploitable versions. Then the admin might be able to upgrade or downgrade at their preference.

I think the real issue is hitting admins over the head with security updates that matter to them. Its all great if the package manager will put a big dialog box up on root's login to notify him or send messages to root@localhost. However, when is root going to actually read them? Maybe there should be (is there?) an RFC on how the admin should be contacted by their systems (ie. root@localhost should go to a real account on some mail server). I think most admin guides and other helpful resources suggest this. Then they can be held accountable for not doing it and the distributions could at least do what is required of them to notify admins.

I think no matter how easy it is is really a non-issue. Updating packages is the admins responsibility, if they have no procedures in place and there are no accepted practices then it really isn't the software author/maintainers fault now is it?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/72/11654#11654