Bug#473082: unattended-upgrades: Does not install security upgrades as promised
On Fri, 2008-04-11 at 13:58 +0200, Göran Weinholt wrote: Ben Hutchings [EMAIL PROTECTED] writes: On Thu, 2008-04-10 at 23:10 +0200, Göran Weinholt wrote: snip Am I still correct in believing that it is not enough to simply install the package for it to do upgrades automatically and unattended as described? unattended-upgrade is supposed to be run by /etc/cron.daily/apt. If you customised this some time ago and have not accepted the current version from the apt package then it might not be run regularly. Ah! But only since apt version 0.7.0 (according to the apt changelog). Which means that apt in etch does not run unattended-upgrade, hence my bug report. Do you agree that this is a problem? snip Sorry, I am confusing the etch and sid versions. The version in etch is undocumented except by the package description. The description seems to suggest a totally automatic process (e.g. run by cron), which it clearly doesn't provide. The documentation should be clear that if you want it to run regularly, you need to set up a cron job. The version in sid is documented as integrating with apt and depending on a recent apt. However, the control file doesn't state the dependency, and that is clearly a bug. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Bug#473082: unattended-upgrades: Does not install security upgrades as promised
[EMAIL PROTECTED] (Göran Weinholt) wrote: Package: unattended-upgrades Version: 2.0 Severity: critical Tags: security The latest version is 0.25.1debian1. Which version are you really using, and with which distribution? Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Bug#473082: unattended-upgrades: Does not install security upgrades as promised
Package: unattended-upgrades Version: 2.0 Severity: critical Tags: security See the package description: Description: Install security upgrades automatically This package will download and install security upgrades automatically ^^^ and unattended. It will take care to only install packages from the ^^ configured origin and will check for conffile prompts. It does no such thing. Not even if /usr/bin/unattended-upgrade is run manually does it actually install the upgrades, it just downloads them! It writes to its log files what commands it should have run to actually install the upgrades. The reason I set this bug to critical and tag it security is that the package promises to install security upgrades for the user but fails to act on that promise. This tricks the user into a false sense of security. There are no doubt users running insecure kernels and other software because of this bug. Regards, -- Göran Weinholt. Debian developer. Network administrator. Wow! My entire arm disintegrated! -- Spongebob Squarepants
