You can tell me if I am 'beating a dead horse' but for the sake of
argument, let us see where this goes ....
On 12/11/2017 11:41 AM, Wouter Verhelst wrote:
On Sun, Dec 10, 2017 at 12:22:07PM -0400, Raymond Burkholder wrote:
I think its totally adequate to assume people want automatic security
updates, on all kinds of systems, unless they opt out.
Security updates, yes. Automated, no. Desktops, maybe. Servers, no.
Are you advocating for having servers with known-security-buggy services
running all over the Internet, then?
hmm, almost like being asked to answer the question 'have you stopped
beating your <fill in the blank> yet?'. One can't win by answering.
But things depend:
* servers can't can't be rebooted willy nilly
* when a package is updated with files open, the active process gets the
existing files, and new processes get the new files, and is the patched
package functional simultaneously in both activities (file formats,
database schemas, ....)?
* does the patch introduce a functional change which may break
operations (inverting logic on something, removing a flag, ... ) which
breaks dependencies elsewhere
For my infrastructure, updates, of what ever kind, need to be
incorporated into the test/build/roll-out cycle.
If you have a test/build/roll-out cycle, then you presumably have a
local mirror (and if you don't, well, why not?) Just make sure your
servers only pull from that local mirror, and you're done.
I do have the local mirror (more like a package proxy at the moment),
But this mechansim does require a certain finesse. running apt update
&& apt upgrade against that local mirror/proxy may cause it to update to
versions not quite desired, which leads to a specialized mirror with
pre-cleared packages, but, well, I'm not that sophisticated quite yet.
[...]
So, as an accommodation, a flag in the preseed mechanism to
enable/disable would be helpful. But would need to be exposed in
maybe the expert mode menus, which I think was already mentioned.
What Raphaël was proposing is exactly that, yes.
Also, there is absolutely *no* technical difference between "the preseed
mechanism", "a low-priority debconf question", and "something in the
expert mode menus". None. Zero. Zilch.
--
Raymond Burkholder
r...@oneunified.net
https://blog.raymond.burkholder.net
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
