On Mon, Feb 25, 2013 at 12:35 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > >> >> Keep in mind that to _not_ install an update, you have to know more >> than the RH engineers about the code. I usually assume they had a >> good reason for going to the trouble of shipping it and that they >> would have to have a very, very good reason to ship anything that >> would break an existing API in an update. Of course it is always good >> policy to test the combination of things you run in production on a >> non-critical box first. > > > For example, an apache update MAY require that I first check what it will do > to http.conf. I suppose it is possible - but I can't recall that ever happening. And I have some oddball httpd.confs. This is why we use 'enterprise' distributions. Updates are not supposed to break things. > First install it on a test server, check out what is new, > then apply it. Or a firefox update, and I only run firefox anymore on the > server when I am running in via vnc, and probably will never again (after > setup) run firefox, so I will apply that update when I don't have something > more to do. I see mysqld on my DNS server, but I have it off. Also cups is > there, and I don't do printing. I have not uninstalled these, so if they > get updates, I will apply them, but not when I am on the road. Now a bind > or apache security update will get applied.... All reasonable thoughts, but you are getting to the point of spending more time figuring out if you need to do an update than you would to just run one and watch what it does. At the end of the run you are finished with that box and you know if it is important to do the others right away. If you do that on the test box you mentioned you'll also know if anything breaks. > yes, I still tend to install desktop on my servers to get them configured, > the set inittab to 3 and will rarely ever run desktop again. That will greatly increase the amount of updates you'll install over the life of the box. And you can't assume that a security update for something that isn't running is not needed - it might relate to ways to become root after some other exploit permits local access. -- Les Mikesell lesmikesell@xxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos