2013/8/1 Vincent Liggio <[email protected]> > [...] > > That's fine, do a single update immediately after install. If they are > "not an option" how come most OS's on the planet are not patched? (not that > this is a good thing, mind you). >
There are a bunch of currently installed OS not patched because for a very long time, the default setting was not to update automatically. Nowadays most of the current OS change this standard behavior, simply because of the fact you observed already on your own. If you don't want automatic updates after installation, simply execute "yum remove yum-autoupdate" or add -yum-autoupdate to your kickstart file in the %package section. But we are talking about the default behavior and the default behavior should be automatic updates as it is default in nearly all current OS because the majority of security expert agreed on this topic as a better approach for more security in the net. I've been doing this long enough to know that patches can often break more > than they fix (and can introduce their own security bugs). To blindly patch > all the time is an immature way of being an admin. You can administer the system in the way you like, you are free to do it however you like. If you don't trust upstream QA and build up your own QA landscape with tons of servers and tons of test and use cases, fine with me and fine with the rest of us. But the default setting is for all users that uses this OS, including all users who don't have the ability to setup a QA landscape that is better than the upstream QA so they need to rely on upstream QA anyway. Regards, Thomas -- Linux ... enjoy the ride!
