critical update notifications

Faris Raouf

Well-Known Member
Mar 19, 2018
147
28
58
The new kernel flaw that's making the news is very worrying.

I hope an email be sent to Proxmox Subscribers when a kernel update for Proxmox is available that resolves this?

There doesn't seem to be a Proxmox "updates" mailing list or a "security" mailing list or blog/rss/anything. I really feel a little cut off and in the dark about Proxmox security issues, or of security issues in the third party components that it makes use of.

It is also very difficult to figure out how important a particular package update might be. Sure, every now and then something has urgency other than "medium", but there's no mechanism in the GUI to see only those, and no Proxmox mechanism to get notified about them.
 
By default, the root account (email address specified on a Proxmox VE host) is getting an email notification about updates.

On the GUI, you also see the updates and the changelog of each package with details. And there are quite a lot of other places where you can get information, even the source code is available.

Please check again your host config and read the docs instead of getting worried ...
 
Yes, I get notifications of updates. There is nothing in the information that tells me if there's a critical vulnerability though. Not even if something is really, really important. Yes, in the gui I see a changelog and an "urgency", but you have to go through each one individually. Sometimes a lot of things get released at the same time. Computers are supposed to make things easy, not difficult.

All I'm suggesting is that if there's an important issue that would affect all users, such as this current remotely exploitable kernel vulnerability, and maybe something like the zfs update that removed important packages under certain (admittedly rare) conditions issue, that you let users know. And I also suggest that you let users known when an update is released to resolve the issue. This seems to me to be a basic, sensible thing for a commercial operation to do for its customers. It is not an expensive thing to do, and it is the right thing to do.
 
Computers are supposed to make things easy, not difficult.

Yeah, they should but I can't recall a time when this was true. Everything is extremely overcomplicated, complex and error prune.

This seems to me to be a basic, sensible thing for a commercial operation to do for its customers. It is not an expensive thing to do, and it is the right thing to do.

Good idea but totally unpractical. If one IT company would start this, it would be their end. Therefore you don't see any other company like Microsoft, Facebook, Twitter, VMware et. al. mailing you about issues. You only read about it in the mainstream media like data leaks and such. I hope these companies gets sued by the EU due to their GDPR breakage.
You would receive a lot of mails, because critical stuff is discovered all the time and you as a customer would just start to ignore it due to their overload of information.

If you're an IT professional, then you monitor other media sites and most probably also monitor CVEs and security mailinglists. For PVE this is the Debian and the Ubuntu Mailing list for their Kernel, so it is - as @tom wrote - very easy to keep track of the security issues related to PVE.
 
  • Like
Reactions: Stoiko Ivanov
There are companies that do this, and do it well.

The closest comparison I can think of is Plesk. Plesk takes a bunch of components, such as Apache, Bind, MySQL, Postfix, nginx and so forth, and wraps them in a commercial control panel. Not so different to Proxmox really, is it?

When a serious issue is identified either in Plesk itself, or in one of the components it uses (and in severe cases OS-level elements too), Plesk informs its customers or at the very least updates their update feed with a notification that something needs attention.

There is a dedicated update page on their website, with info on what's changed whenever a minor or major update is released. They add a KB article when a major issue has been identified in a plesk or non-plesk component, and explain what it is about, who it affects and what to do about it.

It is very professional. It keeps them connected with their users. It informs users of what it happening. It is all plain commercial common sense, in my view.

I don't think facebook/twitter etc are good comparisons. But VMware is. Do they truly not tell their customers about problems? I am shocked. But just because they don't, doesn't mean Proxmox can't or shouldn't. Smaller organisations become bigger organisations by beating the big boys at their own game. Details matter. Happy customers matter. Word of mouth matters.

Sure, the big stuff issue appears in the tech news. But the Proxmox kernel is modified. Some issues will affect it and some won't. I want to be kept informed about the specific product I use - Proxmox, not generic or Debian/Ubuntu Kernel - and I want to be informed when an update is released. That's not too much to ask. In fact it seems like the most basic thing to me.

Proxmox is not some 0-budget hobbyist collective, suitable only for users of a certain technical level to use at their own risk. It is much bigger than that. Much better than that. Much more important. And as a paying Subscriber, the very least I expect is to be kept informed.
 
I want to be kept informed about the specific product I use - Proxmox, not generic or Debian/Ubuntu Kernel - and I want to be informed when an update is released. That's not too much to ask. In fact it seems like the most basic thing to me.

This is exactly what @tom described and what PVE does:
It mails you the packages that need to be updated.
 
A kernel update installation has to be planned and customers informed in advance because it might need a reboot. WILL need a reboot in this case because I'm not waiting for Kernelcare to release an update.

You can't plan when you don't know what's going on.

Not all kernel updates are critical in a security sense. Not all vulnerabilities affect modified kernels.
I'll bet huge numbers of Proxmox users are on a kernel that's at least months old.
But tell them by email or on an announcement page that there's a critical vulnerability, and they will act. Or at least they should.

You have to occasionally try to protect users from themselves. They may be lazy but more likely busy or distracted and need a nudge. Interaction with customers in a positive way is what leads to more customers and to better customer satisfaction.

I'll give you another example of a company that is doing the right thing. DigitalOcean just sent out an email to customers encouraging them to update the kernels on their Droplets. DO does not write the kernel nor control it. DO has nothing to do with the kernel. They don't even modify it. But they are interacting with their customers, assisting them to use the service provided in a safe and sensible way. This is the right thing to do.
 
I'll bet huge numbers of Proxmox users are on a kernel that's at least months old.
But tell them by email or on an announcement page that there's a critical vulnerability, and they will act. Or at least they should.

I'm still on the standpoint that the mail PVE generates is exactly that. You don't want technically in-depth-information, just "updates available".

A kernel update installation has to be planned and customers informed in advance because it might need a reboot. WILL need a reboot in this case because I'm not waiting for Kernelcare to release an update.

Yes, but normally you see all the changes and know that if the kernel is updated, you need to do a reboot. You can see the changes of the package on the GUI and on the console if you've installed apt-listchanges.

I'll give you another example of a company that is doing the right thing. DigitalOcean just sent out an email to customers encouraging them to update the kernels on their Droplets. DO does not write the kernel nor control it. DO has nothing to do with the kernel. They don't even modify it. But they are interacting with their customers, assisting them to use the service provided in a safe and sensible way. This is the right thing to do.

Yes, I got that mail too. Good example, but DO is an infrastructure provider. e.g. I got no mail from microsoft for the rdp remote bug that they discovered and fixed today, but media coverage.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!