automate updates in Lenny
in [Debian]
|
Prev: How do I get the mbr package to do its job quietly?
Next: Keyboard gets stuck when closing PPP (was: Problems when logging out Gnome)
From: Rob Owens on 15 Apr 2010 19:50 On Sat, Apr 10, 2010 at 03:07:31AM +0200, thib wrote: > Chris Hiestand wrote: >> On Apr 7, 2010, at 12:27 PM, Ron Johnson wrote: >> >>> On 2010-04-07 13:52, Jozsi Vadkan wrote: >>>> [snip] >>> That's a foolish thing to do, since blind acceptance can lead to a broken system. >> >> Maybe so, but I've been using automatic upgrades for the last 2-3 years on many stable systems without a problem. The nice thing about staying within the stable distribution is that typically the only updates are security updates which are generally very small changes. >> >> When you get to the scale of managing tens or hundreds of debian systems it's easier to automatically upgrade and fix any problems in the off-chance they happen. If you wanted to be more careful, one solution is to setup your systems in such a way that a small group of computers get updated before the rest, as an early warning system. >> >> The major package changes happen between inter-distribution (eg etch -> lenny), which always need a human supervisor. This is acceptable on a larger scale because that only happens every 1.5 - 2 years. >> >> Also if you have other management software (eg cfengine, puppet) in place, it helps mitigate problems when upgrading debian packages or distributions - decreasing the cost of a package upgrade mishap across many systems. > > As nicely put in the reference (2.7.5): > > "If the risk of breaking an existing stable system by the automatic > upgrade is smaller than that of the system broken by the intruder using > its security hole which has been closed by the security update, you > should consider using [the] automatic upgrade [...]" > > In other words, use automatic security upgrades if you can't maintain the > system actively and have enemies. > You could fine-tune your automatic updates a little, in order to minimize risk and maximize security. For instance, only automatically update openssh-server and iceweasel (and any other internet-facing servers or likely vectors of attack). -Rob -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100415234731.GB24973(a)aurora.owens.net
From: Ron Johnson on 15 Apr 2010 21:50
On 2010-04-15 18:45, Rob Owens wrote: > On Sat, Apr 10, 2010 at 01:37:31AM +0200, Clive McBarton wrote: >> Ron Johnson wrote: >>> Anyway, the cron-apt package does what you want. It is recommended, >>> though, to use it only for downloads. >> It does help the OP since he uses apt-get, but what about the people who >> normally use aptitude? There's no "cron-aptitude" package. And though >> cron-apt can be configured to actually run aptitude, I don't get the >> impression that it has really been tested that way. >> > I've always used my own script, and put it in cron. Something like > this: > > apt-get update > $HOME/update.log 2>&1 > apt-get upgrade --assume-yes >> $HOME/update.log 2>&1 > apt-cron does that for you and emails the results. -- Dissent is patriotic, remember? -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4BC7C01C.2060206(a)cox.net |