On Fri, Nov 04, 2016 at 03:53:55PM +0200, Apollon Oikonomopoulos wrote: > On 14:13 Fri 04 Nov , Luca Capello wrote: > > I still think that a non-manual upgrade (i.e. an upgrade which has not > > been checked by a manual process, which means that a scripted upgrade is > > not part of it) should not be a default on any OS, but it seems I am the > > only one thinking like this... > > While enabling unattended-upgrades by default is definitely a step > towards better security, it would be great if we could also provide > users/admins with an easy opt-out mechanism for certain services, > especially if we want unattended upgrades to be usable on production > machines. > > Currently unattended-upgrades provides a package blacklist that can be > manually configured to exclude certain packages from upgrades. While > this is useful in its own right, I think we should eventually provide an > easy-to-configure policy-rc.d mechanism (possibly integrated with > debconf?) to provide what most people eventually want: a "please don't > restart my apache or mysql automatically" kind of behaviour.
needrestart can do this already: https://github.com/liske/needrestart/blob/master/ex/needrestart.conf#L71 so you just would need a local conf snippet with *your* services. \o Evgeni
