No longer install unattended-upgrades by default

This has been requested by the Debian security team:

Quoting Moritz Mühlenhoff:

    unattended-upgrades is a crude hack at best and _not_ suitable for a
    default installation. There are selected scenarios where it might be
    useful (such as a staging or test environment), but there will always be
    security updates which are not sufficiently resolved by simply installing
    a package or which will even break installations if no additional changes
    are made. The only supported way to deploy a security update issued by the
    Debian Security Team is to follow our advisories (which will provide
    instructions if an update requires subsequent steps) and test it before it
    gets rolled out to additional machines. While we have a very low
    regression rate, those are inevitable to a certain extent and there's
    always stuff you cannot test/cover (local packages, cruft from previous

    u-u is also very rudimentary. It doesn't support service restarts e.g., so
    installing an openssl update is pretty pointless as it doesn't even
    attempt to warn/act on library restarts.

    It's also very brittle, only a few days ago I had to fix a stretch system
    where it uninstalled virtually all KDE packages after installing the VLC
    update (which installed a new version of libvlccore and all went kaboom).

    All this crap falls back to the security team, because people think our
    update broke the system. Or stuff like

    u-u breaks stuff (and would even more so if installed by default on
    servers, where it will cause unpredictable server downtimes during
    restarts etc.) and Debian should not be broken by default.

    If users make a concious decision to accept the consequences of
    unattended-upgrades, then they can install it explicitly and have to deal
    with the fallout, but it must not be part of a default installation.
parent 8eb97e14
pkgsel (0.57) UNRELEASED; urgency=medium
[ Cyril Brulebois ]
* Update Vcs-{Browser,Git} to point to salsa (alioth's replacement).
[ Raphaël Hertzog ]
* No longer install unattended-upgrades by default as requested
by the Debian security team:
-- Cyril Brulebois <> Fri, 27 Apr 2018 03:43:06 +0200
pkgsel (0.56) unstable; urgency=medium
......@@ -51,17 +51,18 @@ _Description: Running ${SCRIPT}...
Template: pkgsel/update-policy
Type: select
Default: unattended-upgrades
Default: none
Choices-C: none, unattended-upgrades
__Choices: No automatic updates, Install security updates automatically
_Description: Updates management on this system:
Applying updates on a frequent basis is an important part of keeping the
system secure.
By default, security updates are automatically installed by the
unattended-upgrades package. Alternatively, you can opt-out from
this system and apply updates manually using standard package management
By default, security updates are not automatically installed as you
have to review the security advisories before installing the updates
using standard package management tools. Alternatively you can install
the unattended-upgrades package which will install security updates
Template: pkgsel/updatedb
Type: boolean
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment