On Thu, Apr 10, 2014 at 11:24 AM, Himanshu Vasishth <[email protected]> wrote: > > I agree that there are scenarios where automatic updates are not the right > thing. I also understand that Debian users may already be familiar with the > fact that Debian doesn't have automatic updates turned on. > > However, I don't think it is fair to assume that users of Debian on GCE fall > in the category
That is highly speculative... > of folks who are already familiar with Debia and thus expect things to work a > specific way. For starters, the quick- > start guide on GCE uses Debian > image. Also, the first two images in the UI dropdown that lets users select > > images are Debian images. As a result it is likely that a > significant number of users are not familiar with Debian. > > There is no README for GCE images, so this is not something we can document > there. As I said, I agree that automatic updates may not be the right thing > for all users. > > The question I have is, if we turn on automatic security updates and add a > warning in motd clearly pointing out that automatic security updates are > turned on and that it may cause long running instances to restart at > arbitrary times, would that be sufficient information for users who are > running long running tasks to turn it off or would that not be sufficient? > > > On Wed, Apr 9, 2014 at 8:22 PM, olivier sallou <[email protected]> > wrote: >> >> >> >> >> 2014-04-10 0:45 GMT+02:00 Anders Ingemann <[email protected]>: >> >>> On 9 April 2014 23:14, Himanshu Vasishth <[email protected]> wrote: >>>> >>>> Good point. It would certainly not be desirable of a long running process >>>> was restarted. We could definitely add a note to image description. >>>> >>>> How about also adding a message to motd so that when users login they are >>>> made aware of the fact that automatic security updates are turned on and >>>> that users should review the settings if they are running long running >>>> processes? Let me know if motd is not the right mechanism for this and if >>>> there is a different way this should be done. I am still learning about >>>> various aspects of Debian. >>>> >>>> >>>> On Wed, Apr 9, 2014 at 1:59 PM, Tomasz Rybak <[email protected]> wrote: >>>>> >>>>> Dnia 2014-04-09, śro o godzinie 11:06 -0700, Himanshu Vasishth pisze: >>>>> > Hey everyone >>>>> > >>>>> > >>>>> > I just wanted to give a quick heads up. We have pushed new images on >>>>> > GCE which includes the latest version of openssl package (1.0.1e-2 >>>>> > +deb7u6) which addresses CVE-2014-0160. The new images are named >>>>> > debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408. >>>>> > >>>>> > >>>>> > We have also provided instructions to users no how they can update >>>>> > their running instances >>>>> > at https://developers.google.com/compute/docs/security-bulletins. >>>>> > >>>>> > >>>>> > Now that the images are out, one of the questions that this brings up >>>>> > is - should we have automatic upgrades turned on for security issues >>>>> > by default on Debian images running on GCE? >>>>> > >>>>> > >>>>> > The unattended-upgrades package is configured to only do security >>>>> > updates by default, and for most users this would be a good thing to >>>>> > turn on. I suspect most users won't mind, and for the small set that >>>>> > do care about every update, it would be easy enough for them to turn >>>>> > it off. >>>>> >>>>> On one hand having security fixes applied is a Good Thing. >>>>> On the other hand - if I would start some long-running process >>>>> during which something (here apt) would restart my database, >>>>> it would not be nice. >>>>> >>>>> But adding some note (to README, or image description) about >>>>> such autoupdate should fix the problem; e.g. Amazon shows times >>>>> when it can update PostgreSQL and such a knowledge allows >>>>> for planning longer jobs. >>>>> >>>>> Best regards. >>>>> >>>>> -- >>>>> Tomasz Rybak <[email protected]> GPG/PGP key ID: 2AD5 9860 >>>>> Fingerprint A481 824E 7DD3 9C0E C40A 488E C654 FB33 2AD5 9860 >>>>> http://member.acm.org/~tomaszrybak >>>>> >>>> >>> >>> > Now that the images are out, one of the questions that this brings up is >>> > - should we have automatic upgrades turned on for security issues by >>> > default on Debian images running on GCE? >>> >>> I think that is a really bad idea (sorry for being blunt), not only because >>> of what Tomasz mentioned but also because you may have customers who have >>> closed down all incoming connections on their machines and only allow >>> outgoing ones (configuration through puppet/chef etc., work being done by >>> fetching from a queue etc.). Those machines will pretty much never need any >>> updates. >>> I think the unix principle of least surprise applies here: When users boot >>> up a vanilla official debian image, do they expect unattended security >>> upgrades to be turned on by default? >>> The debian installer doesn't do that and neither do most ready to go debian >>> installations I have encountered. >>> Just my two cents :-) >> >> >> +1 >> why not simply specify in the README that there is NO automatic security >> update and that if user wishes to do so , he can simply activate it. Image >> should not launch any unattended action by default. >> >> Olivier >>> >>> >>> Anders >> >> >> >> >> -- >> >> gpg key id: 4096R/326D8438 (keyring.debian.org) >> >> Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438 > > -- Jose R R http://www.metztli-it.com --------------------------------------------------------------------------------------------- NEW Apache OpenOffice 4.0.1! Download for GNU/Linux, Mac OS, Windows. --------------------------------------------------------------------------------------------- Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014 --------------------------------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/cam12q5qwhwuhetjnpfzhw5csyeynmh8v_rzzsglheosv8ph...@mail.gmail.com
