Op 25-12-16 om 01:43 schreef Paul Wise: > On Sun, Dec 25, 2016 at 8:34 AM, Paul van der Vlis wrote: > >> I am doing this myself already on desktop systems so I have some >> experiences with it. > > Thanks for sharing your experience. > >> What I would really like is a mechanism where the user can tune after >> how many days the upgrade will occur. Maybe a default could be after 2 >> days. People who like to have faster updates can change this to 0 days, >> and this people do extra testing of the updates. When big problems occur >> with an update, the installation of the update should be stopped in some >> way for the people who have set it at 2 days. > > How do you propose to transmit the info about problematic updates from > early testers to folks who update later?
I think those users can contact the security team. The security team could remove or replace a security update, or give information. Other people can also share information about experiences with the update, so there is already information on the internet if you use the 2-day default. I use a script on a few servers to realize this, it's not perfect: http://vandervlis.nl/files/updateafter >> It would be nice to have a way to configure a notice (by e-mail?) in >> case of an error apt or dpkg error. > > /etc/apt/apt.conf.d/50unattended-upgrades: > Unattended-Upgrade::Mail "root"; > Unattended-Upgrade::MailOnlyOnError "true"; Thanks. >> I would like something as "apt-get update; apt-get dist-upgrade". >> So not only "apt-get upgrade", and for everything in sources.list, so >> not only for security updates. I would like to go from Debian 9.1 to >> 9.2, but not from Debian 9 to 10. > > /etc/apt/apt.conf.d/50unattended-upgrades: > Set Unattended-Upgrade::Origins-Pattern to match which packages you > want to upgrade. I use "*" and that works fine, I would like it as default. People who do not want it have many ways to change it. I am not sure, but if you only use "apt-get update; apt-get upgrade" I expect you do not have a secure system anymore after some time. >> Using a program what has been upgraded can give strange problems. I have >> seen this e.g. with e-mail clients and browsers. I would like it when >> desktop users could get a message that programs has to be restarted. >> Not sure this is important for servers too, I would think so. > > apt install needrestart needrestart-session Thanks, I will study that. >> I don't think it's an good idea to enable automatic reboots by default. > > I think we either need a Linux kernel livepatch service or automatic reboots. I would like a kernel livepatch, but it's not there at the moment. I don't like automatic reboots as a default, but if many people wants them I can live with it, when I can turn them off. I use "at" to reboot very early in the morning: ----------- TIJD="5:00" MAIL="p...@vandervlis.nl" echo "$HOSTNAME is rebooted on $TIJD" | mail -s "$HOSTNAME is rebooted on $TIJD" $MAIL echo "mail -s '$HOSTNAME becomes rebooted now' $MAIL; reboot" | at $TIJD ---------- With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/