[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#875858: pkgsel: Offer to install/manage unattended-upgrades

On Tue, Dec 12, 2017 at 09:23:50AM +0100, Raphael Hertzog wrote:
> > But my experience has mostly been with regular package updates.  I haven't
> > focused much on security updates.  Can security updates be applied with out
> > generating dependency chains and their updates?
> Yes. I am seriously doubting that you ever applied any security update on
> a server running Debian stable by yourself. That's the point of security
> updates on stable releases, they fix only the security vulnerabilities but
> do not introduce functional changes and have a limited risk of breakage.

unattended-upgrades are not an appropriate default. It's okay for a desktop
system which gets powered down daily, so you can add it to tasksel lists for
desktop roles, but not enable it by default for servers.

- It does not handle restarts. If you upgrade OpenSSL (or any library) with
it, all your services will be left vulnerable until restarted. It will
give people a warm fuzzy feeling, but not any actual security benefit.
- We do need to make the occasional breaking change where people have to
modify configuration settings or perform additional manual steps. With
unattended-upgrades people don't have a chance to intervene. And if their
setups break, we're the ones who get blamed.

Why was this change made without contacting team@security.debian.org (as
the ones who are affected the most)?


Reply to: