[Bug 1747499] Re: 98-reboot-required and Interaction with livepatch
Steve Langasek
steve.langasek at canonical.com
Mon Feb 5 21:23:23 UTC 2018
The position of the Security Team has been consistent that kernel live
patching allows users to defer reboots, it does not allow users to avoid
them. Because not all security fixes are included in live patches, and
because correlating the live patch CVEs to the kernel deb CVEs requires
knowledge that's external to the packages themselves, hiding the 'reboot
required' message will give users a false sense of security about their
system.
Cc:ing Tyler for any further comment.
Whatever our policy is going to be here, it should be consistent across
the board for both desktop and server (which may fall out naturally from
changes to update-notifier, but maybe not).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1747499
Title:
98-reboot-required and Interaction with livepatch
Status in update-notifier package in Ubuntu:
New
Bug description:
If a system is using canonical livepatch, has it enabled, and patches
are applied, it could be confusing for a user to receive a "system
restart required" messages in the MOTD when logging in.
That message, when present, is printed by 98-reboot-required which
essentially just cats /var/run/reboot-required to stdout. That file is
placed by packages that require a reboot so that they are properly
used in their updated versions. Examples that come to mind are libc
and the kernel.
There is a secondary file that can be created which says which
packages requested the reboot. That would be /var/run/reboot-
required.pkgs
Ideally that script should not print out the reboot required message
if a) livepatch is installed and enabled; b) the only trigger for the
reboot is a kernel update.
For (a), one can use the command "ubuntu-advantage is-livepatch-
enabled" and check $?. That is in the ubuntu-advantage-tools package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1747499/+subscriptions
More information about the foundations-bugs
mailing list