On 12/11/2017 11:51 AM, Steve McIntyre wrote:
On Mon, Dec 11, 2017 at 04:41:38PM +0100, Wouter Verhelst wrote:On Sun, Dec 10, 2017 at 12:22:07PM -0400, Raymond Burkholder wrote:I think its totally adequate to assume people want automatic security updates, on all kinds of systems, unless they opt out.Security updates, yes. Automated, no. Desktops, maybe. Servers, no.Are you advocating for having servers with known-security-buggy services running all over the Internet, then?That's the point here, yes. We've had this discussion already several times, and it was triggered by needs/desires of cloud providers. As a *default*, it makes sense to have automated security updates to cover the users who don't care, or don't know any better. Users with more knowledge and hard requirements about downtime etc. should already be managing this.
I think I got thrown off by the title 'unattended upgrades'. If this is limited to security updates, I am more for it, but still scared of it.
Security updates tend to come in packages which have already have had other regular patches applied (except, I suppose in 'stable' versions), and sometimes one can get caught in functional changes.
I guess that is my greatest fear, .... breakages due to updates.But my experience has mostly been with regular package updates. I haven't focused much on security updates. Can security updates be applied with out generating dependency chains and their updates?
-- Raymond Burkholder ray@oneunified.net https://blog.raymond.burkholder.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.