On Wed, 2006-08-09 at 17:13 +0200, Axel Thimm wrote:
On Wed, Aug 09, 2006 at 09:38:54AM -0400, Jack Neely wrote:
> > > Okay...walk me through this then:
> > >
> > > Assuming no yum plugins or other mess.
> > >
> > > A new kernel is available that corrects some random remote DoS. How do
> > > I get all 1300 machines to pull down the new AFS modules?
> >
> > It's in the wiki, but here it comes again:
> >
> > o current kernel module scheme w/o any special depsolver handling:
> > - broken on rpm level, inherits on all depsolvers
> > - Modules of the current kernel get nuked whether you reboot into
> > the new kernel or not
>
> Wrong. Both up2date and yum have always marked packages that provide
> 'kernel-modules' as install only for several years now. Modules don't
> get "nuked" unless you rpm -U.
Wrong x 3:
o not always, neither yum, not up2date initially had any
"kernel-module(s)" support
o first implementation had a typo mismatch, kernel-modules vs
kernel-module. In fact effectively its a very young approach, I
think this was fixed less than a year ago
2003-11-21 01:24 skvidal
* nevral.py:
make packages providing 'kernel-modules' installonly.
that was yum 2.0.X
> > + but the new kernel gets its kernel modules (and only
the new
> > kernel ...)
>
> This point has been used in practice by several large universities.
> I've been doing this for about 6 years. While not perfect its been
> proven to be acceptable and allow machines to remain fulled patched.
6 years? So you've been using yum's secret unannounced and NSA
sponsored version back then, huh? ;)
we used the idea in yup prior to yum.
That was about 2000->2001, iirc so yes, about 6 years.
> NC State University. Duke. I believe Matt at Boston U. has
used
this
> approch in the past as well.
And I know large universities that extensively make use of proprietary
operating systems, so what exactly does that say? Mass does not imply
infallibility.
I don't think he was alleging that. I think he was saying there are some
big users with large installations who have used it and it works.
that's all.
-sv