On Tue, Dec 12, 2017 at 09:23:50AM +0100, Raphael Hertzog wrote: > > But my experience has mostly been with regular package updates. I haven't > > focused much on security updates. Can security updates be applied with out > > generating dependency chains and their updates? > > Yes. I am seriously doubting that you ever applied any security update on > a server running Debian stable by yourself. That's the point of security > updates on stable releases, they fix only the security vulnerabilities but > do not introduce functional changes and have a limited risk of breakage.
unattended-upgrades are not an appropriate default. It's okay for a desktop system which gets powered down daily, so you can add it to tasksel lists for desktop roles, but not enable it by default for servers. - It does not handle restarts. If you upgrade OpenSSL (or any library) with it, all your services will be left vulnerable until restarted. It will give people a warm fuzzy feeling, but not any actual security benefit. - We do need to make the occasional breaking change where people have to modify configuration settings or perform additional manual steps. With unattended-upgrades people don't have a chance to intervene. And if their setups break, we're the ones who get blamed. Why was this change made without contacting t...@security.debian.org (as the ones who are affected the most)? Cheers, Moritz