On 07/31/2013 12:20 PM, Paul Robert Marino wrote:
Agreed but as I said without restarting your services or rebooting in
the case of a kernel the auto update can create a false sense of
security.
Generally disagree. That might be true of some badly designed packages
but have a look at the ssh server rpm scripts as an example:
preinstall scriptlet (using /bin/sh):
/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add sshd
preuninstall scriptlet (using /bin/sh):
if [ "$1" = 0 ]
then
/sbin/service sshd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sshd
fi
postuninstall scriptlet (using /bin/sh):
/sbin/service sshd condrestart > /dev/null 2>&1 ||
Given how few things are remotely accessible by default it is nice to
know that the most important one (ssh) is at least going to be running
the latest version.
Also in production environments an auto updates occasionally
break thing and it can take sysadmins hours to figure out what happened.
If sysadmins plan their updates in regular cycles it allows them to
first test on a introduction host. When they test first they should be
able to discover any issue and workaround and or avoid them entirely
when the updates get pushed into production. Also is something does
break in production after a planned update they know what changed rather
than having a mysterious failure which seemed to appear from nowhere.
Agreed, but if you are already doing all that why can't you turn off
automatic updates manually when the system is first installed?
Jeff
