Soren: You make a good point. I wasn't keeping track of whether these updates were from -security. In my proposed samples of how to use the date-fixed apt mirrors in http://run.alestic.com/apt/rightscale the -security line pointed directly from ubuntu.com and not the alternative mirror. I don't know if companies who need this would use it that way or not.
Even so, isn't the default for Ubuntu to not automatically apply the security updates without user intervention? It seems like it would be nice to allow users the option to operate under this policy even if it isn't the default on EC2 and even if Canonical is not the one providing the option with the date-fixed apt mirror. For the record, I am personally very comfortable applying Ubuntu updates without much scrutiny. This is one of the main reasons I switched to Ubuntu after regularly running into issues applying updates with alternative distros. I feel like we're getting a little off topic, too. I was presenting a few sample use cases on why automatic apt-get upgrade from Canonical's EC2 apt mirrors on first boot can cause problems for users who want to specify their own apt mirrors in user-data scripts. Even if we don't completely agree on every one of the use cases or think that Canonical might be able to improve their mirrors to reduce the frequency users desire an alternative, it sounds like the proposed solution was acceptable and we can move forward for now. Did anybody submit any comments on the rest of the user-data configuration file RFC? -- Eric Hammond Soren Hansen wrote: > On Tue, Jan 05, 2010 at 03:11:50AM -0800, Eric Hammond wrote: >> We choose when to update our running systems, often after testing in >> development and QA environments. However, if systems are being fired >> up automatically by Amazon's Auto Scaling or Spot Instances and those >> instances upgrade themselves on boot, then package upgrades are forced >> on you whether or not you have tested, unless you choose to use a >> date-fixed apt mirror like RightScale offers. > > If Ubuntu were ever to offer date-fixed repositories, I would personally > consider that having declared complete bankruptcy on our SRU and > security update policies and procedures. If we don't even trust our own > process for these updates, and acknowledge the need for date-fixed > repositories, we've lost. If we discover shortcomings in these > processes, we need to fix them, not offer ways to circumvent them. > > Furthermore, even the smallest delays in applying security updates means > a window of opportunity for an attacker. I consider it a critical > feature for Ubuntu that our users should feel comfortable applying our > security updates without much scrutiny. > -- Ubuntu-cloud mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-cloud
