Re: policy-rc.d by default?
On Fri, Nov 04, 2016 at 03:53:55PM +0200, Apollon Oikonomopoulos wrote:
> On 14:13 Fri 04 Nov , Luca Capello wrote:
> > I still think that a non-manual upgrade (i.e. an upgrade which has not
> > been checked by a manual process, which means that a scripted upgrade is
> > not part of it) should not be a default on any OS, but it seems I am the
> > only one thinking like this...
>
> While enabling unattended-upgrades by default is definitely a step
> towards better security, it would be great if we could also provide
> users/admins with an easy opt-out mechanism for certain services,
> especially if we want unattended upgrades to be usable on production
> machines.
>
> Currently unattended-upgrades provides a package blacklist that can be
> manually configured to exclude certain packages from upgrades. While
> this is useful in its own right, I think we should eventually provide an
> easy-to-configure policy-rc.d mechanism (possibly integrated with
> debconf?) to provide what most people eventually want: a "please don't
> restart my apache or mysql automatically" kind of behaviour.
needrestart can do this already:
https://github.com/liske/needrestart/blob/master/ex/needrestart.conf#L71
so you just would need a local conf snippet with *your* services.
\o
Evgeni
Reply to: