Thursday, October 30, 2008

Backing out the procps change... how it works

I've had some questions on how we backed out the procps change, specifically the mechanism that was used. Here is how it works;

Both the kernel package and the procps package are security updates. The procps package removed the file /etc/sysctl.d/10-tcp-timestamps-workaround.conf (at least as long as the user had not modified it; it takes care in its preinst to check for this, since clobbering explicitly modified configuration files would be a clear policy violation). However it does not "undo" the setting on the fly in the running kernel. The new kernel is installed and upon rebooting you will get tcp timestamps turned back on, since the configuration file that turned them off is no longer present.

It's true that it's technically possible for a user to upgrade procps but not the kernel, or vice versa. However, we felt that it wasn't worth the gymnastics required to cope with this, bearing in mind that there are many different kernel package names in 8.10, many of which never suffered from this problem in the first place, and that the TCP timestamps setting is not undone until you reboot. Particularly given that the kernel update doesn't change ABI and therefore doesn't change package name, the overwhelming majority of users will just apply both security updates at once. We made sure that both the kernel and procps were published with all their binaries at the same time.

Thanks to Colin Watson for the technial explination.

~pete

No comments: