Hacker News new | past | comments | ask | show | jobs | submit login

You shouldn't be disabling unattended-upgrades unless you're very diligent with security updates yourself.



> You shouldn't be disabling unattended-upgrades unless you're very diligent with security updates yourself.

That statement might be true regarding some users.

But for many Linux users and installations, it's false.


Why is it false? Those security updates are important and it's very nonintrusive.


> Why is it false? Those security updates are important and it's very nonintrusive.

Not sure if this is a complete list, but here are some of my reasons:

a) It's common for updates to contain a mix of security-fixes and other stuff. Sometimes that "other stuff" breaks things and/or needs vetting for deployed systems.

b) Sometimes even "security fixes" break stuff. (I don't have the time to find examples, so feel free to take this with a grain of salt.)

c) Sometimes a forced restart of the system or a program is worse than a delayed update. For example, when giving a presentation, or when firefighting a production issue.

d) It's absolutely an attractive attack vector. I want time to hear about problems before installing updates.

And finally, this might not resonate with everyone, but:

e) It's my system. Nobody else gets to override my choices for how it runs. Full stop. I refuse to cede my agency in this area of computing.


> It's common for updates to contain a mix of security-fixes and other stuff. Sometimes that "other stuff" breaks things and/or needs vetting for deployed systems.

So you have no experience with unattended-upgrades. They really don't contain new features, that's not how Debian's model works - they backport security fixes to keep features the same.

> Sometimes a forced restart of the system or a program is worse than a delayed update. For example, when giving a presentation, or when firefighting a production issue.

Again, you have no clue how Debian/APT updates work. Things don't just get forcefully restarted.

> It's absolutely an attractive attack vector. I want time to hear about problems before installing updates.

Unpatched software is significantly more so than attacking your distribution.

> e) It's my system. Nobody else gets to override my choices for how it runs. Full stop. I refuse to cede my agency in this area of computing.

Sure, feel free to do with yours as you please, but don't recommend terrible things to others, especially those not as proficient.

It's bad advice for most end-users and sysadmins to get rid of unattended-upgrades especially for the FUD reasons listed above.


It sounds like there's some confusion here.

I was talking about Snap, not APT.


come on, this is like gassing up your car.

Yes every once in a while you see some person on the side of the road who forgot to fill up with gas.

But is the answer to force everyone to pull over and gas up every 4 hours?

(yes, this is an imperfect analogy, but you get the idea)


That's not how unattended-upgrades works at all. It's not Snap.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: