Informing clients about updates

[Jeff75]

I wanted to run a poll to see what % of hosts inform their clients before or after they make updates (upgrading apache, php, cpanel, etc security fixes) to the server. It seems like it would be better to notify them in advance in case there's any problems that arise during the upgrade so they know you're doing maintenance. But on the other hand, if you inform them through your website and post that your servers have a security vulnerability, it could be appealing to hackers who want to cause havoc.

[SarcNBit]

We have a weekly 2hr. maintainence window that all clients are aware of. We tackle most "heavier" updates during that window.

If there is an issue that we foresee expanding beyond that window (<cough> changing datacenters <cough>), we will notify clients as far in advance as possible.

We do not notify clients each time an admin sneezes at the server as this would lead to increased support costs.

[EDIT]You really do not have a poll choice that covers our practice so I did not vote[/EDIT]

[PWSowner]

You really do not have a poll choice that covers our practice so I did not vote

True here as well. We inform clients in advance if we do something that may affect their site, but do not inform them of everything we do, or every cpanel update.

[dandanfireman]

This one is kind of a double edged sword. While I will be the first one to say that customer communication is important, there is a downside. if I send an email to all of my customers saying "I will be upgrading to php 4.3.8 on Friday". This tells the customer 2 things.

1. We are not secure now.
2. You have until Friday to try to use the vulnerability to break in.

This is why we typically don't announce security vulnerabilities....or if we do, we don't announce which ones we are fixing beforehand.

[peddler]

This one is kind of a double edged sword. While I will be the first one to say that customer communication is important, there is a downside. if I send an email to all of my customers saying "I will be upgrading to php 4.3.8 on Friday". This tells the customer 2 things.

1. We are not secure now.
2. You have until Friday to try to use the vulnerability to break in.

This is why we typically don't announce security vulnerabilities....or if we do, we don't announce which ones we are fixing beforehand.

I would never tell clients what's being done, specifically. Firstly, a minimal percentage of clients would know what you're speaking of, and secondly, you would be announcing a vulnerability on your server(s). If I run into a situation, whereby there will be an unscheduled interruption of service, I do inform the clients, but with no specifics. The clients support our actions fully and have resolve in knowing if there is a need to do an emergency upgrade, that we are doing so for the betterment of all. We do set apart a 1 hour time slot late Sunday nights whereby all clients know that if there is regular maintenance to be done, that’s when it will happen.

[rpmws]

I tell them general things like this on todays PHP upgrade.

Expect some downtime on the web server(s) between the hours of 1AMand 2AM EST on July 15th, 04. We expect most services such as email and FTP to behave normally. You may see brief moments where the web server is down for restarts. Thanks.

That's what I tell them. Make it seem like normal everyweek stuff.

[haze]

We only notify clients if the update will or may have any effect on uptime or if it may have an effect on any of their scripts.

Normally we inform ahead of time for such things as, kernel, major php upgrades ( that clients may have to change code for, etc ), apache recompiles, etc.

Regular cpanel updates shouldn't need to be mentioned unless you just want to let clients know about new features they might use. Else, you'll start emailing them all for every new rpm update :P

[perlchild]

I wanted to run a poll to see what % of hosts inform their clients before or after they make updates (upgrading apache, php, cpanel, etc security fixes) to the server. It seems like it would be better to notify them in advance in case there's any problems that arise during the upgrade so they know you're doing maintenance. But on the other hand, if you inform them through your website and post that your servers have a security vulnerability, it could be appealing to hackers who want to cause havoc.

I would not identify the particular vulnerability you are patching against, but I would definitly warn clients of the downtime, and potential excess load due to an update. Better yet, set a maintenance window, warn clients that updates are performed then, and remind them when you perform the update, within the window. Much more professional.