[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#875858: pkgsel: Offer to install/manage unattended-upgrades

On Mon, Dec 11, 2017 at 10:55:20PM -0400, Raymond Burkholder wrote:
> On 12/11/2017 11:51 AM, Steve McIntyre wrote:
> > On Mon, Dec 11, 2017 at 04:41:38PM +0100, Wouter Verhelst wrote:
> > > On Sun, Dec 10, 2017 at 12:22:07PM -0400, Raymond Burkholder wrote:
> > > > > 
> > > > > I think its totally adequate to assume people want automatic security
> > > > > updates, on all kinds of systems, unless they opt out.
> > > > 
> > > > Security updates, yes.  Automated, no.  Desktops, maybe.  Servers, no.
> > > 
> > > Are you advocating for having servers with known-security-buggy services
> > > running all over the Internet, then?
> > 
> > That's the point here, yes. We've had this discussion already several
> > times, and it was triggered by needs/desires of cloud providers. As a
> > *default*, it makes sense to have automated security updates to cover
> > the users who don't care, or don't know any better. Users with more
> > knowledge and hard requirements about downtime etc. should already be
> > managing this.
> 
> I think I got thrown off by the title 'unattended upgrades'.  If this is
> limited to security updates,

It is limited to updates *within the release you're running*. That is,
it won't change your sources.list, but it will upgrade packages that
you've already got installed.

The largest part of that is "security updates", yes, but there will
sometimes also be non-security updates of high-severity bugs in there
(for an example of such a non-security bug that I worked on a while
back, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787398).

> I am more for it, but still scared of it.

It's only meant to be a default that can be changed. If you don't like
it, as an informed user, you can switch it off (and we would encourage
you to do so if you have other ways of keeping your systems up-to-date
and secure).

It's only meant to help those who don't care about manually applying
updates.

> Security updates tend to come in packages which have already have had other
> regular patches applied (except, I suppose in 'stable' versions), and
> sometimes one can get caught in functional changes.
> 
> I guess that is my greatest fear, .... breakages due to updates.

Please educate yourself on what Debian allows for stable updates
(answer: very very very little)

> But my experience has mostly been with regular package updates.  I haven't
> focused much on security updates.  Can security updates be applied with out
> generating dependency chains and their updates?

Yes, in general. Debian prefers to backport security fixes rather than
upgrading to "the newest version", whatever that is. However, sometimes
that isn't possible (e.g., for webbrowsers), and then we do
(reluctantly) upgrade to more recent upstream versions.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab
Reply to: