Bug#875858: pkgsel: Offer to install/manage unattended-upgrades

To: Raphael Hertzog <hertzog@debian.org>
Cc: Raymond Burkholder <ray@oneunified.net>, Steve McIntyre <steve@einval.com>, Wouter Verhelst <wouter@debian.org>, 875858@bugs.debian.org, 'Holger Levsen' <holger@layer-acht.org>, 'Moritz Mühlenhoff' <jmm@inutil.org>
Subject: Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 17 Dec 2017 15:28:45 +0100
Message-id: <[🔎] 20171217142845.emwgy7blty4envu5@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 875858@bugs.debian.org
In-reply-to: <[🔎] 20171212082350.GB21570@home.ouaza.com>
References: <150546871303.4559.13969797016748677490.reportbug@x260-buxy.home.ouaza.com> <[🔎] 20171210113408.q4zkainhbjylojac@pisco.westfalen.local> <150546871303.4559.13969797016748677490.reportbug@x260-buxy.home.ouaza.com> <[🔎] 20171210161312.rale5h2kg2nwljbl@layer-acht.org> <150546871303.4559.13969797016748677490.reportbug@x260-buxy.home.ouaza.com> <[🔎] 5ec001d371d3$06eb5300$14c1f900$@oneunified.net> <[🔎] 20171211154138.GD15516@grep.be> <[🔎] 20171211155103.ypdvhai7qe6ulw23@tack.einval.com> <[🔎] b3c7302a-f674-39b4-0e0f-1db3feb90edd@oneunified.net> <[🔎] 20171212082350.GB21570@home.ouaza.com> <150546871303.4559.13969797016748677490.reportbug@x260-buxy.home.ouaza.com>

On Tue, Dec 12, 2017 at 09:23:50AM +0100, Raphael Hertzog wrote:
> > But my experience has mostly been with regular package updates.  I haven't
> > focused much on security updates.  Can security updates be applied with out
> > generating dependency chains and their updates?
> 
> Yes. I am seriously doubting that you ever applied any security update on
> a server running Debian stable by yourself. That's the point of security
> updates on stable releases, they fix only the security vulnerabilities but
> do not introduce functional changes and have a limited risk of breakage.

unattended-upgrades are not an appropriate default. It's okay for a desktop
system which gets powered down daily, so you can add it to tasksel lists for
desktop roles, but not enable it by default for servers.

- It does not handle restarts. If you upgrade OpenSSL (or any library) with
it, all your services will be left vulnerable until restarted. It will
give people a warm fuzzy feeling, but not any actual security benefit.
- We do need to make the occasional breaking change where people have to
modify configuration settings or perform additional manual steps. With
unattended-upgrades people don't have a chance to intervene. And if their
setups break, we're the ones who get blamed.

Why was this change made without contacting team@security.debian.org (as
the ones who are affected the most)?

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Holger Levsen <holger@layer-acht.org>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: "Raymond Burkholder" <ray@oneunified.net>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Wouter Verhelst <wouter@debian.org>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Steve McIntyre <steve@einval.com>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Raymond Burkholder <ray@oneunified.net>
- Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Changing di-netboot-assistants directory within the TFTP-root
Next by Date: Re: [pkg-cryptsetup-devel] Upcoming transition: libcryptsetup4 -> libcryptsetup12
Previous by thread: Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
Next by thread: Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
Index(es):
- Date
- Thread