separate emails to fedora-legacy-announce for each OS
Eric Rostetter
rostetter at mail.utexas.edu
Fri Apr 22 21:13:34 UTC 2005
Quoting Joe Harrington <jh at oobleck.astro.cornell.edu>:
> > The FLP does not recommend night yum updates via cron, which is what I
> > think you are recommending here. Is this the recommendation of the
> > Fedora Project?
>
> If you type 'chkconfig yum on', you get nightly updates in FC. It's
Of course, but it is recommend, and if so, for what uses?
> designed to do it, and since FC1 there have been no updates that
> required any special handling.
That's quite amazing... We've no end of things that need special handling
here with the RHL releases (restarting daemons, upgrading versus updating,
rebooting after a kernel update, etc). Even had some bugs (lilo update not
working during a kernel update, etc).
> Even the kernel gets updated this way,
> without problems.
As an example, it doesn't reboot to the new kernel. So that is an
extra step that is needed. If I just do auto updates without checking
what was done, how do I know I need to reboot to the new kernel? If
I don't, then I'm not protected by the new security update to the kernel.
Similar for restarting daemons, etc.
> I don't see that there is any expectation that the
> notices will be read. I believe that RHEL operates this way, too, as
> do many/most distros nowadays (e.g., Debian Ubuntu, cAos).
I can accept if Fedora Project does this, but I know of no other that does.
If there was no need to read the advisory we simply wouldn't issue any
advisories with the updates.
> I don't
> know about official policy, but I also don't know anyone who would
> risk operating any other way. The net has become an increasingly
> dangerous place to compute.
See the archives recently about this, and/or refer to
http://www.fedoralegacy.org/docs/autoupdates.php
> > 1) Whether an update *doesn't* apply to me. So I want to get all the
> > updates, read them, and *know* that it doesn't apply to me. So if my
> > boss, wife, who ever asks me "did you install the latest XYZ update?"
> > or "should I install the latest XYZ update?" or "Why didn't you install
> > the latest XYZ update?" or what ever, I can say with confidence "I
> researched
> > the issue and that vulnerability doesn't apply in our case."
>
> Sounds labor-intense to me.
That's why they call having a job "labor" because it is labor intensive.
> Why not just take them all when they come
> out?
Because my boss will not accept the answer "I don't know if we need/have the
update or not, but I turned on auto updates so it should be installing
them if their needed, but I don't know for sure if there is an update yet or
if I need to take other action to protect us in case there isn't an
update yet, and I can't tell you for certain the repository I use is
up and current so that it was really installed or not if there is an update,
and..."
By then he would stop me and fire me.
> yum will figure out whether you have the package, and will
> update it if so. This seems to be what's done by the vast majority of
> users nowadays. Then you can just say "yes", "yes", and "it got it
> automatically the night after it hit the net" to the person asking the
> questions, without needing to look up from the novel you'll now have
> time to read. :-)
Well, how do I know this? At a minimum, I need to know that there is
an update (either read the advisory or check the yum log), and I need
to check that it was installed at least (check the yum log), and then
I need to verify the update fixed the problem (reboot needed, daemon
restart needed, etc). All this is something that simply issuing
a "chkconfig yum on" won't do.
> If it's not the recommendation of FLP to do automatic nightly yum
> updates off your repos, it should be, as it will be the practice of
> most FC users regardless of what you recommend.
Please see above link.
> If you make a point
> of advising otherwise, it will be a strong enough incentive for many
> people to switch away from Fedora completely, and go with a distro
> that does support it for the long term.
I don't think you will find any such distro. Even Microsoft doesn't
recommend doing automated updates.
> FWIW, my FC1 machines have
> been doing fine operating in this mode off your repos, so it doesn't
> appear you need to do much, other than avoid making packages that
> require manual installation.
See the archives from a couple weeks ago to see otherwise.
> --jh--
--
Eric Rostetter
More information about the fedora-legacy-list
mailing list