Well, now I have a real excuse to install the Bluetooth (waiting to see if it broke anything) and Java (just too darn lazy) updates too. Bye-bye uptime.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Security Update 2003-11-19
- Thread starter MacRumors
- Start date
- Sort by reaction score
Dont even get me started on how STUPID it is to require a restart on every single update. It's just plain dumb. It's like they don't know what unix is. Or how to use it even though its sitting underneath the pretty candy UI.
Apple requires a restart so they can make sure that everything is reset. It's just easier (and safer) to have it restart rather than quitting whatever is in use, and reloading it.
A lot of people complain about this without knowing what's going on. When an update includes a new version of a library to which applications may link dynamically, you have to restart all applications that use that library. The problem is that there's no fully reliable way to know which running applications have loaded a particular library and to restart them perfectly cleanly. In some cases you might not care (you can wait for a user restart, risk losing data in a non-interactive one, or risk missing a dynamically-linked app), but when the update is to a widely-used library (like zlib in this case) and it concerns security, you really don't want to take a chance - the only sure bet is to reboot.
Obviously this isn't the case for updates that don't involve shared libraries or that only affect a limited (and known) number of apps - and you see in thoses cases that no reboot is required.
It is usually this comment that is associated with _____is broke after the update.!!!!!
After a restart or a verify permissions and the problem is almost always solved.
How hard is it to restart and get on with your life? Restarts seem to be associated with security updates, quicktime updates and OS updates. These all seem system critical to me and worth a restart.
But then again, I restart before any OS update because it makes me feel safer. YMMV.
It's hard to restart for trivial crap that does NOT need a restart. If you come from the unix universe you would understand. You stop the server in question, (sshd, httpd etc..) patch it, install new server, restart server. Not the whole machine. It's like going to get gas for your car at the pump and having to tear down your engine and rebuild it every time. It's stupid and makes no sense. This is not windows.
No it makes Apple in severe need of acting on serious and fatal security issues a bit quicker then they are.
I agree, at the very most they could force all users to log out, and then restart any system processes that were affected. Only kernel patches should require a reboot (and the Mach kernel is a microkernel arch which was designed so you didn't have to reboot unless you had to patch the core microkernel itself... which was intentionally kept micro so that would be few and far between).
No, I think what we are seeing is the low energy approach - why invest programmer resources to perform an update while running, when you could just patch the files and force a restart/reload?
Does anyone know if you have to restart the OSX Server when installing security patches?
-Wyrm
I would rather see sec. updates come out more freq. then wait for some damn PC sided sec. firm to say OS X has critical sec. flaws even if they are not!
As for the guy complaining about restarting..I know for a fact that not all updates have required a restart so stop complaining. I rather take 1-2mins to restart then have it not work right and screw something else up. 1-2mins of downtime is nothing.
As for the guy complaining about restarting..I know for a fact that not all updates have required a restart so stop complaining. I rather take 1-2mins to restart then have it not work right and screw something else up. 1-2mins of downtime is nothing.
one or one thousand makes no difference. You cannot just reboot a machine every time a security update comes up if you run mission critical services off of it. Unless you want to admit OS X is a toy OS that cant hang with 1970 technology like UNIX that can be patched without taking the entire machine down. Is that what you are trying to say?
I love OS X, but some of you need some experience in the real world about mission critical deployment. And why its retarded to reboot a whole machine or machine's to patch ssh.
I love OS X, but some of you need some experience in the real world about mission critical deployment. And why its retarded to reboot a whole machine or machine's to patch ssh.
Unsubstantiated
Did my last post really get modded out for being insulting? Okay, let me phrase this in a non-insulting way:
This story strikes me as untrue. It's easy to claim that an anonymous friend has an exploit for a bug that I can't tell you about, but let met tell you how slow Apple is in fixing it.
What makes more sense to me is that anyone who tries to blackmail apple into doing anything is likely to end up behind bars.
I hope Apple calls your "friend's" bluff. If it were serious, and a real exploit, they would have fixed it, as they've done instantly for other serious exploits. If not, they're going to let your "friend" huff and puff all he likes.
Did my last post really get modded out for being insulting? Okay, let me phrase this in a non-insulting way:
This story strikes me as untrue. It's easy to claim that an anonymous friend has an exploit for a bug that I can't tell you about, but let met tell you how slow Apple is in fixing it.
What makes more sense to me is that anyone who tries to blackmail apple into doing anything is likely to end up behind bars.
I hope Apple calls your "friend's" bluff. If it were serious, and a real exploit, they would have fixed it, as they've done instantly for other serious exploits. If not, they're going to let your "friend" huff and puff all he likes.
Because the underlying libraries are dynamically linked into other running applications, and there's no system-wide way to register which applications are currently using which dynamically linked libraries.
So, genius, how do you guarantee to solve this problem without a reboot:
1) I find a flaw in something like zlib.
2) I issue a patch to zlib.
3) I could restart all of the services that I know of that come preinstalled with the machine that use zlib, but how could I possibly know whether or not some other user program that's been installed after the fact is using the old version?
So, how do you know that?
You should think through these things before you start calling people "retarded".
Re: Unsubstantiated
You can think whatever you wish. The fact remains by Nov 26th this glaring security hole affecting every version of OS X 10.2+ client and server will be issued forth in a security advisory by said author.
It probably even affects all versions of OS X. Proof is in the pudding you can doubt all you wish, but I will state here for record you will either see another security update by Nov 26th or you will see the SA released on full-disclosure and thereby the rest of the globe. This is not a bluff this is a valid serious security issue Apple has decided is not worth the time to fix as of yet. On the 26th you can decide if Apple was justified or not. Trying to get a vendor to fix a glaring security issue is not blackmail. But I doubt I will convince you of this.
You can think whatever you wish. The fact remains by Nov 26th this glaring security hole affecting every version of OS X 10.2+ client and server will be issued forth in a security advisory by said author.
It probably even affects all versions of OS X. Proof is in the pudding you can doubt all you wish, but I will state here for record you will either see another security update by Nov 26th or you will see the SA released on full-disclosure and thereby the rest of the globe. This is not a bluff this is a valid serious security issue Apple has decided is not worth the time to fix as of yet. On the 26th you can decide if Apple was justified or not. Trying to get a vendor to fix a glaring security issue is not blackmail. But I doubt I will convince you of this.
As far as how to fix zlib without rebooting.
Patch zlib
Install new zlib
Recompile app's using zlib.
If it's a kernel lib. *Schedule Downtime*
"But whaaa how do i find out what apps use zlib???"
I don't know how YOU run your servers but I only run one service usually per box.
Static libs only. Never dynamic for obvious reasons And usually in a Jail.
And I know exactly what lib's they link against.
Maybe you need more organization if you have 1000 apps running on a single server and don't know what's using what or linked to what. Which would be a security nightmare anyway.
Patch zlib
Install new zlib
Recompile app's using zlib.
If it's a kernel lib. *Schedule Downtime*
"But whaaa how do i find out what apps use zlib???"
I don't know how YOU run your servers but I only run one service usually per box.
Static libs only. Never dynamic for obvious reasons And usually in a Jail.
And I know exactly what lib's they link against.
Maybe you need more organization if you have 1000 apps running on a single server and don't know what's using what or linked to what. Which would be a security nightmare anyway.
Hmm...why don't you do updates during the night like most Admin.. do.
Also if it's mission critical most businesses will have more then 1 OS X server to rely on. I worked with guy that did nothing but Unix and said all businesses have backup Unix servers on standby if they do have to switch to them.
Also if it's mission critical most businesses will have more then 1 OS X server to rely on. I worked with guy that did nothing but Unix and said all businesses have backup Unix servers on standby if they do have to switch to them.
Re: Timely my a$$
I say give 'em two months to respond, then publish.
All in all though, Apple has been very up to speed with at least the BSD issues I've seen elsewhere.
I say give 'em two months to respond, then publish.
All in all though, Apple has been very up to speed with at least the BSD issues I've seen elsewhere.
Dude, listen, I'd like to reboot less than I do. Not because it does me any harm, but because I like to see the 'uptime' number get big.
It's a fetish. Call me weird...
What you're talking about though is sys-admin level decision making. OS X is first and foremost a consumer and small-business OS.
If I'm changing core libraries, and I look at my market and realize that half are home users and the other half are artists-- am I going to ask them to "kill -HUP" all processes dynamically linking to OpenSSL, or am I going to say "click restart to continue"?
If a service is mission critical, you darn well better be able to take a machine down without affecting operations or you've got much bigger concerns than a reboot.
If "scheduled downtime" is acceptable, don't click "check for updates" until the scheduled time...
Sorry, I selectively ignored this bit... Let me restate:
If I'm changing core libraries, and I look at my market and realize that half are home users and the other half are artists-- am I going to ask them to recompile and install all apps statically linked to OpenSSL, or am I going to say "click restart to continue"?
I'd be willing to be less than 50% of users have the dev tools even installed...
The people who say Apple should ensure bugs are fixed are clueless about software development.
No software is guaranteed bug free - security issues or otherwise.
Mac OSX is not a critical system, otherwise it would cost a lot more than $179 (Canadian). It is not vital that OSX ships with all known bugs fixed. If you are concerned about this then you shouldn't be using Mac OSX. You shouldn't be using Windows or any other consumer OS.
No consumer OS will have known bugs fixed. The OS will be released when it is suitable for consumer usage.
Get real. Apple will ship software with known bugs - but hopefully ship with a suitable software that ensures suitable day to day usage.
If you don't realise this, then you don't know how the software industry works.
This is the reality.
If you don't agree, then hard luck. This is a commerical environment, Apple are out to make money, like any other company.
Other companies will release software with known bugs - but (hopefully) usable software that is at a satisfactory status.
No software is guaranteed bug free - security issues or otherwise.
Mac OSX is not a critical system, otherwise it would cost a lot more than $179 (Canadian). It is not vital that OSX ships with all known bugs fixed. If you are concerned about this then you shouldn't be using Mac OSX. You shouldn't be using Windows or any other consumer OS.
No consumer OS will have known bugs fixed. The OS will be released when it is suitable for consumer usage.
Get real. Apple will ship software with known bugs - but hopefully ship with a suitable software that ensures suitable day to day usage.
If you don't realise this, then you don't know how the software industry works.
This is the reality.
If you don't agree, then hard luck. This is a commerical environment, Apple are out to make money, like any other company.
Other companies will release software with known bugs - but (hopefully) usable software that is at a satisfactory status.
Re: Timely my a$$
Your friend should start posting it everywhere that Mac traffic is significant. /. might be a good start....
geez, unwad your panties already, force quit Software Update after the update is installed, and kill and restart the correct processes, if it really matters that much. Lord, if you can't figure out that, you shouldn't be using a Mac, or Unix for that matter. Go use Windows, where you really do have no choice but to restart after an update.