separate emails to fedora-legacy-announce for each OS

Eric Rostetter rostetter at mail.utexas.edu
Fri Apr 22 21:13:34 UTC 2005 

Quoting Joe Harrington <jh at oobleck.astro.cornell.edu>:

> > The FLP does not recommend night yum updates via cron, which is what I
> > think you are recommending here.  Is this the recommendation of the
> > Fedora Project?
> 
> If you type 'chkconfig yum on', you get nightly updates in FC.  It's

Of course, but it is recommend, and if so, for what uses?

> designed to do it, and since FC1 there have been no updates that
> required any special handling.

That's quite amazing...  We've no end of things that need special handling
here with the RHL releases (restarting daemons, upgrading versus updating,
rebooting after a kernel update, etc).   Even had some bugs (lilo update not
working during a kernel update, etc).

> Even the kernel gets updated this way,
> without problems.

As an example, it doesn't reboot to the new kernel.  So that is an
extra step that is needed.  If I just do auto updates without checking
what was done, how do I know I need to reboot to the new kernel? If
I don't, then I'm not protected by the new security update to the kernel.
Similar for restarting daemons, etc.

> I don't see that there is any expectation that the
> notices will be read.  I believe that RHEL operates this way, too, as
> do many/most distros nowadays (e.g., Debian Ubuntu, cAos).

I can accept if Fedora Project does this, but I know of no other that does.
If there was no need to read the advisory we simply wouldn't issue any
advisories with the updates.

> I don't
> know about official policy, but I also don't know anyone who would
> risk operating any other way.  The net has become an increasingly
> dangerous place to compute.

See the archives recently about this, and/or refer to
http://www.fedoralegacy.org/docs/autoupdates.php

> > 1) Whether an update *doesn't* apply to me.  So I want to get all the
> > updates, read them, and *know* that it doesn't apply to me.  So if my
> > boss, wife, who ever asks me "did you install the latest XYZ update?"
> > or "should I install the latest XYZ update?" or "Why didn't you install
> > the latest XYZ update?" or what ever, I can say with confidence "I
> researched
> > the issue and that vulnerability doesn't apply in our case."
> 
> Sounds labor-intense to me.

That's why they call having a job "labor" because it is labor intensive.

> Why not just take them all when they come
> out?

Because my boss will not accept the answer "I don't know if we need/have the
update or not, but I turned on auto updates so it should be installing
them if their needed, but I don't know for sure if there is an update yet or
if I need to take other action to protect us in case there isn't an
update yet, and I can't tell you for certain the repository I use is
up and current so that it was really installed or not if there is an update,
and..."

By then he would stop me and fire me.

> yum will figure out whether you have the package, and will
> update it if so.  This seems to be what's done by the vast majority of
> users nowadays.  Then you can just say "yes", "yes", and "it got it
> automatically the night after it hit the net" to the person asking the
> questions, without needing to look up from the novel you'll now have
> time to read. :-)

Well, how do I know this?  At a minimum, I need to know that there is
an update (either read the advisory or check the yum log), and I need 
to check that it was installed at least (check the yum log), and then
I need to verify the update fixed the problem (reboot needed, daemon
restart needed, etc).  All this is something that simply issuing
a "chkconfig yum on" won't do.
 
> If it's not the recommendation of FLP to do automatic nightly yum
> updates off your repos, it should be, as it will be the practice of
> most FC users regardless of what you recommend. 

Please see above link.

> If you make a point
> of advising otherwise, it will be a strong enough incentive for many
> people to switch away from Fedora completely, and go with a distro
> that does support it for the long term.

I don't think you will find any such distro.  Even Microsoft doesn't
recommend doing automated updates.

> FWIW, my FC1 machines have
> been doing fine operating in this mode off your repos, so it doesn't
> appear you need to do much, other than avoid making packages that
> require manual installation.

See the archives from a couple weeks ago to see otherwise.

> --jh--

-- 
Eric Rostetter

More information about the fedora-legacy-list mailing list