Unattended updates

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Unattended updates

Kai Hendry
http://natalian.org/archives/2006/04/06/unattended-upgrades/

Why doesn't Ubuntu consider doing unattended background updates?

I see you have a couple of specs on this issue. Though they seem to deal
with the myriad of problems associated with the prompt, password, check,
update, close procedure. Why have that update-notifier routine at all?

https://launchpad.net/distros/ubuntu/+spec/update-manager-edgy
https://launchpad.net/distros/ubuntu/+spec/improved-update-procedure
https://launchpad.net/distros/ubuntu/+spec/one-click-updates-in-gnome
https://launchpad.net/distros/ubuntu/+spec/update-notifier-non-admin-mode

I am sure people will argue that people need to check the specific
updates for some reason or another.

Though most people don't care about the specific updates. They want a
secure up-to-date system with the least fuss.

Best wishes,

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Scott Dier
Kai Hendry wrote:

> Though most people don't care about the specific updates. They want a
> secure up-to-date system with the least fuss.

I've actually had someone get very unhappy if we turned on automatic
updates with their laptop since they use a modem from time to time and
it can get very slow otherwise.

You can turn on automatic security updates if you go into the software
preferences I believe (under administration).

--
Scott Dier <[hidden email]>

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Ivan Krstić-3
In reply to this post by Kai Hendry
Kai Hendry wrote:
> Why doesn't Ubuntu consider doing unattended background updates?

krstic@aeryn:~> apt-cache show unattended-upgrades|grep -A10 Description
Description: Install security upgrades automatically
 This package will download and install security upgrades automatically
 and unattended. It will take care to only install packages from the
 configured origin and will check for conffile prompts.
Bugs: mailto:[hidden email]
Origin: Ubuntu
Task: ubuntu-desktop, edubuntu-desktop, xubuntu-desktop

krstic@aeryn:/etc> grep unatte cron.*/*
cron.daily/apt:#  - Run the "unattended-upgrade" security upgrade script
cron.daily/apt:#    Requires the package "unattended-upgrades" and will
write
cron.daily/apt:#    a log in /var/log/unattended-upgrades
cron.daily/apt:    unattended-upgrade

--
Ivan Krstic <[hidden email]> | GPG: 0x147C722D

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Kai Hendry
In reply to this post by Scott Dier
On 2006-06-30T01:10-0500 Scott Dier wrote:
> I've actually had someone get very unhappy if we turned on automatic
> updates with their laptop since they use a modem from time to time and
> it can get very slow otherwise.

True, though perhaps they can be automatically throttled.

> You can turn on automatic security updates if you go into the software
> preferences I believe (under administration).

Ah, that's what I wanted. Though I prefer that to be the default.


It would also nice to having running updates on edgy for testing
purposes.

Best wishes,

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Travis Watkins
On 6/30/06, Kai Hendry <[hidden email]> wrote:
> It would also nice to having running updates on edgy for testing
> purposes.

Trust me, the last thing you want is automatic upgrades of a
development distro. Massive breakage on autopilot isn't my idea of
convenience. :)

--
Travis Watkins
http://www.realistanew.com

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Kai Hendry
On 2006-06-30T03:08-0500 Travis Watkins wrote:
> Trust me, the last thing you want is automatic upgrades of a
> development distro. Massive breakage on autopilot isn't my idea of
> convenience. :)

Well, I wrote the original mail in a huff as I've updated to edgy and
now sudo is broken. An automatic update wouldn't (hopefully) require
sudo when the fixed package comes available everything should be back to
normal.

Though perhaps my imagination is running wild. :)

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Ivan Krstić-3
Kai Hendry wrote:
> An automatic update wouldn't (hopefully) require
> sudo when the fixed package comes available everything should be back to
> normal.

Did you see my e-mail? This exists, and works. It wouldn't help with
sudo, because by default, it's only configured to use -updates and
-security as permitted origins.

--
Ivan Krstic <[hidden email]> | GPG: 0x147C722D

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Karl Goetz
In reply to this post by Kai Hendry
Kai Hendry wrote:
> On 2006-06-30T01:10-0500 Scott Dier wrote:
>> I've actually had someone get very unhappy if we turned on automatic
>> updates with their laptop since they use a modem from time to time and
>> it can get very slow otherwise.
>
> True, though perhaps they can be automatically throttled.

Throttle dial up?
I connect over dialup at 4.8kb/s. how are you going to throttle that and
have a usable connection? not going to happen
>
>> You can turn on automatic security updates if you go into the software
>> preferences I believe (under administration).
>
> Ah, that's what I wanted. Though I prefer that to be the default.
>
I'm keen for it to stay off.
>
> It would also nice to having running updates on edgy for testing
> purposes.

I run edgy, and i like to choose when my system breaks, and when my
-desktop packages get removed (IE not removed).
:)

>
> Best wishes,
>
kk

--
Karl Goetz
The buck stops there -> $
Australian Ubuntu users team - http://wiki.ubuntu.com/AustralianTeam

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

David Nielsen
fre, 30 06 2006 kl. 19:37 +0930, skrev Karl Goetz:

> Kai Hendry wrote:
> > On 2006-06-30T01:10-0500 Scott Dier wrote:
> >> I've actually had someone get very unhappy if we turned on automatic
> >> updates with their laptop since they use a modem from time to time and
> >> it can get very slow otherwise.
> >
> > True, though perhaps they can be automatically throttled.
>
> Throttle dial up?
> I connect over dialup at 4.8kb/s. how are you going to throttle that and
> have a usable connection? not going to happen

Network-Manager, if it's connected via modem we just don't update unless
asked to.

That being said if the system starts doing underhanded automatic
installs I would think that if the user has 3rd party repos in his
sources.list we would be subject to some nasty spoofing attacks (here
I'm assuming said 3rd party doesn't sign packages or similar silliness -
remember most users will mindlessly just answer yes to any question the
system posses without reading the explanatory text)

- David


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Ivan Krstić-3
David Nielsen wrote:
> That being said if the system starts doing underhanded automatic
> installs I would think that if the user has 3rd party repos in his
> sources.list we would be subject to some nasty spoofing attacks

I'm not sure what it'll take to have people stop talking about this as
if it were to be written sometime in the future. This exists, it's
written already, and it's in Dapper. It's also resistant to the kind of
attack David proposes, since it requires explicit specification of
(origin, archive) tuples for which unattended upgrades are allowed:

krstic@aeryn:~> cat /etc/apt/apt.conf.d/50unattended-upgrades
// allowed (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu dapper-security";
//      "Ubuntu dapper-updates";
};

// never update the packages in this list
Unattended-Upgrade::Package-Blacklist {
//      "vim";
};

--
Ivan Krstic <[hidden email]> | GPG: 0x147C722D

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Robin Sonefors-2
In reply to this post by David Nielsen
What if it's connected through LAN to a gateway with dialup? I've done
it myself, I've seen others do it...

fre 2006-06-30 klockan 13:21 +0200 skrev David Nielsen:

> fre, 30 06 2006 kl. 19:37 +0930, skrev Karl Goetz:
> > Kai Hendry wrote:
> > > On 2006-06-30T01:10-0500 Scott Dier wrote:
> > >> I've actually had someone get very unhappy if we turned on automatic
> > >> updates with their laptop since they use a modem from time to time and
> > >> it can get very slow otherwise.
> > >
> > > True, though perhaps they can be automatically throttled.
> >
> > Throttle dial up?
> > I connect over dialup at 4.8kb/s. how are you going to throttle that and
> > have a usable connection? not going to happen
>
> Network-Manager, if it's connected via modem we just don't update unless
> asked to.
>
> That being said if the system starts doing underhanded automatic
> installs I would think that if the user has 3rd party repos in his
> sources.list we would be subject to some nasty spoofing attacks (here
> I'm assuming said 3rd party doesn't sign packages or similar silliness -
> remember most users will mindlessly just answer yes to any question the
> system posses without reading the explanatory text)
>
> - David
>
>

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

John Moser-2
In reply to this post by Ivan Krstić-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ivan Krstic wrote:

> David Nielsen wrote:
>> That being said if the system starts doing underhanded automatic
>> installs I would think that if the user has 3rd party repos in his
>> sources.list we would be subject to some nasty spoofing attacks
>
> I'm not sure what it'll take to have people stop talking about this as
> if it were to be written sometime in the future. This exists, it's
> written already, and it's in Dapper. It's also resistant to the kind of
> attack David proposes, since it requires explicit specification of
> (origin, archive) tuples for which unattended upgrades are allowed:
>
> krstic@aeryn:~> cat /etc/apt/apt.conf.d/50unattended-upgrades
> // allowed (origin, archive) pairs
> Unattended-Upgrade::Allowed-Origins {
>         "Ubuntu dapper-security";
> //      "Ubuntu dapper-updates";
> };
>

Great, now all we need are "Repositories" in Synaptic to offer a
checkbox for "Automatic Updates from this repository".

TBH unless the thing comes back like "HOLYSH- UBUNTU KEY LOOKS NOT LIKE
MY COPY" I'll just mindlessly click through it.  That should be safe as
long as you keep your private keys a secret to everyone.

> // never update the packages in this list
> Unattended-Upgrade::Package-Blacklist {
> //      "vim";
> };
>

"Never AUtomatically Update This Package" in right-click menu... and a
"no automatic updates" list in the "Status" tab.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond

    We will enslave their women, eat their children and rape their
    cattle!
                  -- Bosc, Evil alien overlord from the fifth dimension
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRKVHmAs1xW0HCTEFAQJUQw//fMg4Wkb3tJPV5XEn9jZR3/DFE+lP0fh9
uSfoTzE0n/A27ZLr1qDu0a220U4h0aGw57Rrvx+yewvfBSUNUzar44GeJXzDfn7W
2g0ABFxtgiRy5AVJUGUfPbxrXpfdEU0v9gNMDoSLP3Y2cFaFaWdgzKLzypafgtLt
vDkILFOGUvjMrbp2aZB2FTDnSCRuoRW/qfq7d9IJCZI7D92ILr3LZxy2Rlo5MCBI
uJPravXqQ3eaDv1LQzI8NS0xI90f0W/rzKXzvzkKf4TvhnXrzBaYWA1zMmY+q0TH
u3gP0KT1snv4P8TL8qte63rLG9tNdCdnATlRU5Xg7CJBgxXVjqPJ0n8L7+s4f9Uc
1Q4h++XEJzUjWcfjG+sb51E0MSEKY0PblId07NU+e2qWW8h2BZMoZdkavHz7bAN/
obWZ41ibz2lg5l/H8Wx9hFnl6SUT3KtwDCLJ/nGvi5qAWtbxnv4XYJDSh6QbBkec
gEGbVJ9JCjkHlZaTubBMOEp3yNaFIviLvKlrrqTSRt/JnCGWUHDyqljxw3rOxH4c
UGmPbV9V/LUOZm81+QDRZD1qa69FHqjcqeAlEL+VWEnVzsXuxsT2UGz04BkCJa5H
RP8CW1Asvs+nQqyIu4o2m4Lofm9q6X+Lkabx3OFcWxAfSloe9np1xrWfWlYtM6AQ
fUEUAJG5Njc=
=yJoo
-----END PGP SIGNATURE-----

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Jan Claeys-3
In reply to this post by Robin Sonefors-2
Op vr, 30-06-2006 te 13:55 +0200, schreef Robin Sonefors:
> What if it's connected through LAN to a gateway with dialup? I've done
> it myself, I've seen others do it...

Or imagine someone on the road using internet access that's charged by
the number of bytes transferred, that could result in some nasty
(financial) surprises...


--
Jan Claeys


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unattended updates

Matt Zimmerman-2
In reply to this post by Kai Hendry
On Fri, Jun 30, 2006 at 02:27:33PM +0900, Kai Hendry wrote:
> http://natalian.org/archives/2006/04/06/unattended-upgrades/
>
> Why doesn't Ubuntu consider doing unattended background updates?

This functionality was already implemented in Ubuntu 6.06 LTS.

https://launchpad.net/distros/ubuntu/+spec/unattended-package-upgrades

--
 - mdz

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel