Bug#875858: pkgsel: Offer to install/manage unattended-upgrades
On Tue, Dec 12, 2017 at 09:23:50AM +0100, Raphael Hertzog wrote:
> > But my experience has mostly been with regular package updates. I haven't
> > focused much on security updates. Can security updates be applied with out
> > generating dependency chains and their updates?
> Yes. I am seriously doubting that you ever applied any security update on
> a server running Debian stable by yourself. That's the point of security
> updates on stable releases, they fix only the security vulnerabilities but
> do not introduce functional changes and have a limited risk of breakage.
unattended-upgrades are not an appropriate default. It's okay for a desktop
system which gets powered down daily, so you can add it to tasksel lists for
desktop roles, but not enable it by default for servers.
- It does not handle restarts. If you upgrade OpenSSL (or any library) with
it, all your services will be left vulnerable until restarted. It will
give people a warm fuzzy feeling, but not any actual security benefit.
- We do need to make the occasional breaking change where people have to
modify configuration settings or perform additional manual steps. With
unattended-upgrades people don't have a chance to intervene. And if their
setups break, we're the ones who get blamed.
Why was this change made without contacting firstname.lastname@example.org (as
the ones who are affected the most)?