On Sun, 22 Feb 2015, Arjan van de Ven wrote: > There's a lot of logistical issues (can you patch a patched system... if > live patching is a first class citizen you end up with dozens and dozens > of live patches applied, some out of sequence etc etc). I can't speak on behalf of others, but I definitely can speak on behalf of SUSE, as we are already basing a product on this. Yes, you can patch a patched system, you can patch one function multiple times, you can revert a patch. It's all tracked by dependencies. Of course, if you are random Joe User, you can do whatever you want, i.e. also compile your own home-brew patches and apply them randomly and brick your system that way. But that's in no way different to what you as Joe User can do today; there is nothing that will prevent you from shooting yourself in a foot if you are creative. Regarding "out of sequence", this is up to the vendor providing/packaging the patches to make sure that this is guaranteed not to happen. SUSE for example always provides "all-in-one" patch for each and every released and supported kernel codestream in a cummulative manner, which takes care of the ordering issue completely. It's not really too different from shipping external kernel modules and making sure they have proper dependencies that need to be satisfied before the module can be loaded. > There's the "which patches do I have, and if the first patch for a > security hole was not complete, how do I cope by applying number two. > There's the "which of my 50.000 servers have which patch applied" > logistics. Yes. That's easy if distro/patch vendors make reasonable userspace and distribution infrastructure around this. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe live-patching" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
