[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating images on GCE to address CVE-2014-0160

I agree that there are scenarios where automatic updates are not the right thing. I also understand that Debian users may already be familiar with the fact that Debian doesn't have automatic updates turned on.

However, I don't think it is fair to assume that users of Debian on GCE fall in the category of folks who are already familiar with Debia and thus expect things to work a specific way. For starters, the quick-start guide on GCE uses Debian image. Also, the first two images in the UI dropdown that lets users select images are Debian images. As a result it is likely that a significant number of users are not familiar with Debian.

There is no README for GCE images, so this is not something we can document there. As I said, I agree that automatic updates may not be the right thing for all users. 

The question I have is, if we turn on automatic security updates and add a warning in motd clearly pointing out that automatic security updates are turned on and that it may cause long running instances to restart at arbitrary times, would that be sufficient information for users who are running long running tasks to turn it off or would that not be sufficient?

On Wed, Apr 9, 2014 at 8:22 PM, olivier sallou <olivier.sallou@gmail.com> wrote:

2014-04-10 0:45 GMT+02:00 Anders Ingemann <anders@ingemann.de>:

On 9 April 2014 23:14, Himanshu Vasishth <hvasishth@google.com> wrote:
Good point. It would certainly not be desirable of a long running process was restarted. We could definitely add a note to image description.

How about also adding a message to motd so that when users login they are made aware of the fact that automatic security updates are turned on and that users should review the settings if they are running long running processes? Let me know if motd is not the right mechanism for this and if there is a different way this should be done. I am still learning about various aspects of Debian.

On Wed, Apr 9, 2014 at 1:59 PM, Tomasz Rybak <tomasz.rybak@post.pl> wrote:
Dnia 2014-04-09, śro o godzinie 11:06 -0700, Himanshu Vasishth pisze:
> Hey everyone
> I just wanted to give a quick heads up. We have pushed new images on
> GCE which includes the latest version of openssl package (1.0.1e-2
> +deb7u6) which addresses CVE-2014-0160. The new images are named
> debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
> We have also provided instructions to users no how they can update
> their running instances
> at https://developers.google.com/compute/docs/security-bulletins.
> Now that the images are out, one of the questions that this brings up
> is - should we have automatic upgrades turned on for security issues
> by default on Debian images running on GCE?
> The unattended-upgrades package is configured to only do security
> updates by default, and for most users this would be a good thing to
> turn on. I suspect most users won't mind, and for the small set that
> do care about every update, it would be easy enough for them to turn
> it off.

On one hand having security fixes applied is a Good Thing.
On the other hand - if I would start some long-running process
during which something (here apt) would restart my database,
it would not be nice.

But adding some note (to README, or image description) about
such autoupdate should fix the problem;  e.g. Amazon shows times
when it can update PostgreSQL and such a knowledge allows
for planning longer jobs.

Best regards.

Tomasz Rybak <tomasz.rybak@post.pl> GPG/PGP key ID: 2AD5 9860
Fingerprint A481 824E 7DD3 9C0E C40A  488E C654 FB33 2AD5 9860

> Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?

I think that is a really bad idea (sorry for being blunt), not only because of what Tomasz mentioned but also because you may have customers who have closed down all incoming connections on their machines and only allow outgoing ones (configuration through puppet/chef etc., work being done by fetching from a queue etc.). Those machines will pretty much never need any updates.
I think the unix principle of least surprise applies here: When users boot up a vanilla official debian image, do they expect unattended security upgrades to be turned on by default?
The debian installer doesn't do that and neither do most ready to go debian installations I have encountered.
Just my two cents :-)

why not simply specify in the README that there is NO automatic security update and that if user wishes to do so , he can simply activate it. Image should not launch any unattended action by default.



gpg key id: 4096R/326D8438  (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335  D26D 78DC 68DB 326D 8438

Reply to: