What about doing security updates automatically?
Hello
I still haven't found an answer to this question:
How do I automate security updates on debian stable, and do it in a
secure manner?
The only way to prevent one from getting trojans seems to be to check
the signature that comes with the security-announce emails, then
check the md5 sums listet there. Even when upgrading manually, one
should only apt-get -d install package and then go into
/var/cache/apt/archives and check the md5, so one could just ignore
the apt system alltogether and use wget instead.
Someone has said once on this list that future versions of apt/debian
will support signed packages. When will this be? There's nothing
mentioned in the debian faq. (I've noticed that dpkg-buildpackage try
to sign the package, but I haven't found any hint how to let dpkg
check that.)
Maybe you will say "don't automatically change your production system
even when you're protected against trojans, since it could break
something", but if done carefully (i.e. the packages don't break
anything), it should be better than forgetting to upgrade the server
and let it run with a hole? What do you think?
Maybe it would be good enough to have a tool that first checks
whether an *installed* package needs a security fix and then alarm
the administrator. "apt-get update && apt-get -s -q -q upgrade" could
be used for this, but it will also print packages that are on hold
for some reason, so postprocessing would be needed anyway, and
(network) failures would have to be handled gracefully to prevent
sending false alerts to the admin - in short, I would prefer a
finished solution to reinventing the wheel ;-) (And upon receiving
the alert, the admin would have to wait for the security-announce to
arrive to be able to check the integrity)
It just seems like a missing link in the apt system.
Christian.
Reply to: