The Computer Officers install all security patches on the managed workstations. This gives us a chance to test them out before installing, as some patches have been known to break things. This document describes how to carry out the patching.
All the workstations' root accounts are configured with an ssh authorized_keys file that allows the patching machine to log in without a password. The workstations report their update status to Hobbit, and we have a script that reads this and applies patches to any machines that need them. The easiest way to start the patching is to go to http://apps.ch.cam.ac.uk/triggers/ and push the appropriate button.
The machines will report to hobbit under 'kernel' when there are has been a kernel patch and they need a reboot.
Ubuntu machines should nag the user about this themselves. However if the hobbit dot is red that means 'needs a reboot and you can do it now' and yellow means 'needs a reboot but users are logged in'. So it should be safe to reboot any with red kernel dots.