Re: unattended-upgrades by default?
Hi,
On Thu Nov 03, 2016 at 18:47:28 +0000, Steve McIntyre wrote:
> Hey folks,
>
> I'm in Seattle for the Debian Cloud sprint and it's going really
> well. I'll post a report in a few days summarising what we've
> done. But, in the meantime, there's something that has come up which I
> think merits wider discussion.
>
> One of the topics that we've been talking about yesterday is automatic
> software upgrades of cloud images. Some of the cloud platform
> providers really want this so that unsophisticated / inexperienced
> users of Debian images on their platforms will be secure by
> default. But there are potential issues here:
>
> * if users are providing a service like a database from a cloud
> instance, there may be unexpected (potentially lengthy) downtime if
> upgrades happen. Of course, this can be mitigated by disabling the
> upgrade job on those machines if desired but that needs people to
> know to do this. Experienced users will probably be dealing with
> upgrades already, so this should not be an issue.
>
> * it will be a different experience compared to what people will get
> when installing Debian normally, using d-i / debootstrap. Most
> (all?) of our desktop environments already have some automatic
> notification of available updates, but (a) not everybody uses them;
> and (b) that's not so useful on a remote server installation where
> there's no desktop for the system to show a pop-up or similar.
>
> To solve the issue and provide security updates by default, I'm
> proposing that we should switch to installing unattended-upgrades by
> default (and enabling it too) *unless* something else in the
> installation is already expected to deal with security updates.
>
> Thoughts?
+1!
One side mark: once we start that, we might expose users to the public
that they run this, as then a lot of users will send a similar sized
packets to the internet! But i see no real security concern with that.
Cheers,
Martin
--
Martin Zobel-Helas <zobel@debian.org> Debian System Administrator
Debian & GNU/Linux Developer Debian Listmaster
http://about.me/zobel Debian Webmaster
GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Reply to: