yum plugin suggestion or yum change?

[Matthew Miller]

On Mon, Dec 05, 2005 at 10:05:22AM -0500, Jeff Spaleta wrote:
> > Based on my experience, automatic updates by default *is* best security
> > practice AND turning disabling that default and conscientiously and
> > regularly applying tested updates by hand is also.
> What in your vastly superior personal experience says this is the best
> security practise for Core?

Did I say "vastly superior"? Or are you just expecting that it is? :)

It's simple: at BU, RHEL and Fedora Core machines get broken into as a
matter of course. BU Linux -- which is based on Fedora Core with some
changes and additions -- machines generally don't. Some of that is our
general tightening of security options, but FC is much, much better by
default than RHL6.1, where we started. These days, the main security
difference is: automatic updates on by default.

Of BU Linux systems which *are* comprimised, the two main culprits are: weak
local user passwords set by untrained admins (which we're working on some
things to address) and people who have disabled the automatic updates
because they have the best intentions of doing it themselves.

> > Most people aren't going to do the "test first" thing, and those who do
> > can turn off the updates.
> How about we refrain from making comments about what "most" people
> will be doing. "Most" people will be doing whatever the default setup
> is.  Right now "most" people don't automate updates at all so this

Exactly. Most people will follow the default, which is: no updates at all.


> > Otherwise, "install and forget" is the normal
> > practice.
> I'm not asking for normal practise.. I'm asking for what the best
> practise for this project to support is.

I'm not asking for snarky. I'm trying to contribute to the discussion.

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>