Re: automate updates in Lenny
On Sat, Apr 10, 2010 at 03:07:31AM +0200, thib wrote:
> Chris Hiestand wrote:
>> On Apr 7, 2010, at 12:27 PM, Ron Johnson wrote:
>>
>>> On 2010-04-07 13:52, Jozsi Vadkan wrote:
>>>> [snip]
>>> That's a foolish thing to do, since blind acceptance can lead to a broken system.
>>
>> Maybe so, but I've been using automatic upgrades for the last 2-3 years on many stable systems without a problem. The nice thing about staying within the stable distribution is that typically the only updates are security updates which are generally very small changes.
>>
>> When you get to the scale of managing tens or hundreds of debian systems it's easier to automatically upgrade and fix any problems in the off-chance they happen. If you wanted to be more careful, one solution is to setup your systems in such a way that a small group of computers get updated before the rest, as an early warning system.
>>
>> The major package changes happen between inter-distribution (eg etch -> lenny), which always need a human supervisor. This is acceptable on a larger scale because that only happens every 1.5 - 2 years.
>>
>> Also if you have other management software (eg cfengine, puppet) in place, it helps mitigate problems when upgrading debian packages or distributions - decreasing the cost of a package upgrade mishap across many systems.
>
> As nicely put in the reference (2.7.5):
>
> "If the risk of breaking an existing stable system by the automatic
> upgrade is smaller than that of the system broken by the intruder using
> its security hole which has been closed by the security update, you
> should consider using [the] automatic upgrade [...]"
>
> In other words, use automatic security upgrades if you can't maintain the
> system actively and have enemies.
>
You could fine-tune your automatic updates a little, in order to
minimize risk and maximize security. For instance, only automatically
update openssh-server and iceweasel (and any other internet-facing
servers or likely vectors of attack).
-Rob
Reply to: