Skip to content
Verified Commit 2b9b5948 authored by Raphaël Hertzog's avatar Raphaël Hertzog
Browse files

No longer install unattended-upgrades by default

This has been requested by the Debian security team:
https://lists.debian.org/debian-boot/2018/05/msg00250.html

Quoting Moritz Mühlenhoff:

    unattended-upgrades is a crude hack at best and _not_ suitable for a
    default installation. There are selected scenarios where it might be
    useful (such as a staging or test environment), but there will always be
    security updates which are not sufficiently resolved by simply installing
    a package or which will even break installations if no additional changes
    are made. The only supported way to deploy a security update issued by the
    Debian Security Team is to follow our advisories (which will provide
    instructions if an update requires subsequent steps) and test it before it
    gets rolled out to additional machines. While we have a very low
    regression rate, those are inevitable to a certain extent and there's
    always stuff you cannot test/cover (local packages, cruft from previous
    releases).

    u-u is also very rudimentary. It doesn't support service restarts e.g., so
    installing an openssl update is pretty pointless as it doesn't even
    attempt to warn/act on library restarts.

    It's also very brittle, only a few days ago I had to fix a stretch system
    where it uninstalled virtually all KDE packages after installing the VLC
    update (which installed a new version of libvlccore and all went kaboom).

    All this crap falls back to the security team, because people think our
    update broke the system. Or stuff like
    https://lists.debian.org/debian-security/2018/05/msg00011.html

    u-u breaks stuff (and would even more so if installed by default on
    servers, where it will cause unpredictable server downtimes during
    restarts etc.) and Debian should not be broken by default.

    If users make a concious decision to accept the consequences of
    unattended-upgrades, then they can install it explicitly and have to deal
    with the fallout, but it must not be part of a default installation.
parent 8eb97e14
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment