[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#875858: pkgsel: Offer to install/manage unattended-upgrades

Hi Moritz,

Moritz Mühlenhoff <jmm@inutil.org> (2018-05-27):
> Sorry for the late reply, busy and backlogged in my inbox.

No worries, I know the feeling; and thanks for the detailed answer!

Replying only briefly (for similar reasons):

> u-u is also very rudimentary. It doesn't support service restarts
> e.g., so installing an openssl update is pretty pointless as it
> doesn't even attempt to warn/act on library restarts.
> It's also very brittle, only a few days ago I had to fix a stretch
> system where it uninstalled virtually all KDE packages after
> installing the VLC update (which installed a new version of libvlccore
> and all went kaboom).
> All this crap falls back to the security team, because people think
> our update broke the system. Or stuff like
> https://lists.debian.org/debian-security/2018/05/msg00011.html
> u-u breaks stuff (and would even more so if installed by default on
> servers, where it will cause unpredictable server downtimes during
> restarts etc.) and Debian should not be broken by default.
> If userse make a concious decision to accept the consequences of
> unattended-upgrades, then they can install it explicitly and have to
> deal with the fallout, but it must not be part of a default
> installation.
> If this had been proposed to team@security.debian.org before making
> the change we would have objected immediately as we are the ones
> primarily affected.  We can't sensibly follow all the
> discussions/developments made in Debian, it's far too big. (And being
> in the security team is already so time-demanding that it leaves
> little for other Debian work anyway).

Sorry about the fallouts. I can't say for sure but ISTR I only found out
about this change when preparing a release announcement, even if there
were prior discussions in other channels (debian-devel@). The security
team should have been looped in, and I'm sorry I didn't think of it at
the time, even after the fact (= right after a D-I Alpha was published).

debian-boot@: the requested revert looks fine to me, bonus points if it
comes with a (short) summary of these reasons in changelog, so that they
can be emphasized in the release announcement. :)

Thanks to everyone involved.

Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: