On 2025-11-27, Andrew M.A. Cater <[email protected]> wrote: > On Thu, Nov 27, 2025 at 06:25:44PM +0200, George Shuklin wrote: >> On 11/25/25 7:39 PM, Charles Curley wrote: >> > > Given all that I came to ask for advice. Should we enable >> > > unattended-upgrades in Debian for baremetal servers (the same way as >> > > it is enabled for cloud VMs)? Mind, that this installation process is >> > > very automated, we ask users only on their partitioning preferences, >> > > hostname and ssh public key, so we can't simply 'ask user'. >> > I suggest you enable them, and document for your users that you have >> > done so and how to disable them. >> >> Can you give arguments in favor of this option, please? >> > > The general security advice is to patch regularly and to keep up with > security updates - this from various governments' cyber security authorities > and because malevolent actors start exploiting vulnerabilities early. > > The only counter indication is if updates require a restart to install a > new kernel or whatever - at which point there is an interruption in service. > Probably better to provide upgrades without needing further explicit action > from the users - but warn them that you've done so.
Yes, I agree with this (but don't use unattended-upgrades myself, mind you, because I like to see what's happening behind the scenes). > All best, as ever, > > Andy > ([email protected]) > >
