Hi, On Thu Nov 03, 2016 at 18:47:28 +0000, Steve McIntyre wrote: > Hey folks, > > I'm in Seattle for the Debian Cloud sprint and it's going really > well. I'll post a report in a few days summarising what we've > done. But, in the meantime, there's something that has come up which I > think merits wider discussion. > > One of the topics that we've been talking about yesterday is automatic > software upgrades of cloud images. Some of the cloud platform > providers really want this so that unsophisticated / inexperienced > users of Debian images on their platforms will be secure by > default. But there are potential issues here: > > * if users are providing a service like a database from a cloud > instance, there may be unexpected (potentially lengthy) downtime if > upgrades happen. Of course, this can be mitigated by disabling the > upgrade job on those machines if desired but that needs people to > know to do this. Experienced users will probably be dealing with > upgrades already, so this should not be an issue. > > * it will be a different experience compared to what people will get > when installing Debian normally, using d-i / debootstrap. Most > (all?) of our desktop environments already have some automatic > notification of available updates, but (a) not everybody uses them; > and (b) that's not so useful on a remote server installation where > there's no desktop for the system to show a pop-up or similar. > > To solve the issue and provide security updates by default, I'm > proposing that we should switch to installing unattended-upgrades by > default (and enabling it too) *unless* something else in the > installation is already expected to deal with security updates. > > Thoughts?
+1! One side mark: once we start that, we might expose users to the public that they run this, as then a lot of users will send a similar sized packets to the internet! But i see no real security concern with that. Cheers, Martin -- Martin Zobel-Helas <zo...@debian.org> Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
