Re: Linux variants that automatically download and update patches

On Jun 22, 6:00 am, General Schvantzkoph <schvantzk...@xxxxxxxxx>
wrote:
On Sun, 21 Jun 2009 20:51:18 -0700, Bennett Haselton wrote:
On Jun 21, 7:56 pm, Sam <s...@xxxxxxxxxxxxxx> wrote:
Bennett Haselton writes:
Since this was the case for all of my CentOS machines at different
providers, I assume that the majority of CentOS dedicated machines
provisioned by hosting providers, are set up not to download and
install updates automatically.

This leaves me with a couple of questions:

1) Are there other Linux variants where the out-of-the-box default is
to download and install updates automatically?

Well, like CentOS and Fedora, for one. All that's needed to be done is
to run "yum update -y" from cron, once a day, or something.

All other distros should also have a comparable mechanism for
downloading and installing updates.

Yes but in CentOS at least, it's not enabled by default, which means
lots of machines will continue to get hacked until it's made the
default.  Are there distros where this is the case?

2) I know some people don't want automatic updates turned on because
they worry that an update might hose their machine, and then when the
machine goes down they'll have no idea that it was an update that
caused it.  But even in that case, couldn't you have the default
setting be to check for updates but not to install them, and then
next time the user signs in, they could be prompted, "These updates
are available, do you want to install them?"

Well, maybe CentOS hasn't caught up with Fedora yet, but the default
user profile in Fedora automatically runs a Gnome widget that notifies
you when updates are available. That's the way it's worked for me, for
the last couple of Fedora releases, at least.

Right, I'm not talking about desktop systems but rather server systems
which are administered remotely.

(The difference being that with a desktop system, you can prompt the
user and it's likely that they'll see it within a day or two, but with a
server, you don't know when the user will sign in next, so the OS
designers have to decide whether they want the default to be to download
updates and apply them automatically, or to do nothing.)

3) What about making it the default setting to always download and
apply updates, and then only letting advanced users disable this
option (which is the approach that Windows takes)?  Advanced users
who

Quite often, an update requires some service to be restarted, upon
completion of the update. This is why updates are not commonly
autoinstalled, but the user is required to initiate them.

OK, but then if I ran "yum update -y" every day as you suggested,
wouldn't I run into problems there where services aren't restarted
automatically?

Similar to my original question, would it be wise to have the default
option be to restart services automatically after updates are installed?
 On the grounds that *not* restarting the services, is more likely to
cause problems for users (who get their sites hacked because the
services weren't restarted after patches were applied), than would be
caused by restarting the services.  And advanced users who wanted
different behavior (for example, if they're running a popular site with
lots of downloads, and restarting the webserver would be a bad user
experience), could change it themselves.

Bennett

There is a good reason not to make updates automatic, an update can break
your system. If the update is done by hand the administrator will be able
to correlate the update with the appearance of the problem, if it's done
automatically he'll have no idea what broke the system. On an unstable
system like Fedora this is particularly likely to happen. Windows is
subject to this also, recently a Win2K security update broke Quickbooks
on my Win2K VM. I've never seen an update break CentOS and the frequency
and number of updates is low which makes doing automatic updates safer
then it is on other distros. As the previous poster said, all you have to
do is create a cron job that does yum -y update, it can't get much
simpler then that.- Hide quoted text -

- Show quoted text -

Yes but *not* having updates can break your system too -- and result
in your data being stolen or your machine being used to send spam and
attack other hosts. Either choice for a default has some drawbacks;
the question is, which has more.

I think I wasn't clear in my original message: I'm not talking about
solving this problem for myself. I'm already doing "yum -y update" to
get all the latest updates installed. I'm asking whether a different
set of defaults wouldn't reduce the amount of compromised Linux
machines on the Internet in general.

It doesn't matter whether we think machine admins "should" sign in
every day (or however often) and do updates manually. Many users are
just going to accept the defaults. Especially now with Virtual
Private Server systems for $10/month, it is unrealistic to expect that
everyone with one of those $10/month accounts is going to follow
whatever we think are "best practices". A lot of them are probably
not even signing in to their servers very often. So the choices for
the default operating system settings are: Download and install
updates automatically, or do nothing. Between those two choices,
wouldn't "download and install updates" be better?

Bennett
.

Relevant Pages

  • Re: SUS
    ... > I have setup a SUS Server on win2k. ... 0-2.reg will not configure your machine to automatically download updates from ... critical updates or service packs that your machine needs. ... It will also ask you if you want to install them, ...
    (microsoft.public.windows.server.general)
  • Re: Automatic Update Default Settings
    ... on the Automatic Download set up page you are really only setting install ... automatic install when turning the computer off. ... Ten updates were waiting to be ... I mean the compuer is completely off in the old fashion Windows XP ...
    (microsoft.public.windowsupdate)
  • Re: Scary & disturbing re updates to XP (& Win2k) - spoofs, pop-ups, etc.
    ... stage of the Windows install, that's right, it was infected before XP was ... If you DO download them with the infected system make sure to ... from downloading antivirus apps, updates, or firewalls; ...
    (microsoft.public.windowsupdate)
  • Re: 800703E7 error message
    ... I get this message when trying to install service pack 2. ... > Check for hardware driver updates? ... > Patches and Updates! ... > drivers for your hardware/operating system. ...
    (microsoft.public.windowsupdate)
  • Re: i cant update windows!
    ... > download, but at the very end of the process it says that the ... I havent been able to get any updates ... First - cleanup your machine and ready it for Service Pack 2. ... Then install Service Pack 2 from the downloaded install file (not the ...
    (microsoft.public.windowsxp.general)