On Thu, Nov 27, 2025 at 06:25:44PM +0200, George Shuklin wrote:
On 11/25/25 7:39 PM, Charles Curley wrote:
Given all that I came to ask for advice. Should we enableI suggest you enable them, and document for your users that you have
unattended-upgrades in Debian for baremetal servers (the same way as
it is enabled for cloud VMs)? Mind, that this installation process is
very automated, we ask users only on their partitioning preferences,
hostname and ssh public key, so we can't simply 'ask user'.
done so and how to disable them.
Can you give arguments in favor of this option, please?
The general security advice is to patch regularly and to keep up with security updates - this from various governments' cyber security authorities and because malevolent actors start exploiting vulnerabilities early.
The only counter indication is if updates require a restart to install a
new kernel or whatever - at which point there is an interruption in service. Probably better to provide upgrades without needing further explicit action from the users - but warn them that you've done so.
All best, as ever,
Andy
(amacater@debian.org)
There's nothing special about Microsoft -- it happens to Apple, Unix
and Linux, too. Malware authors are equal opportunity.
To stop the threat, you patch your machines in a timely manner.
You can read more about how to design secure systems in Peter
Gutmann's book Engineering Security,
<https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>. The
discussion on the Microsoft study was presented in Writing Secure Code
by Howard and LeBlanc, if I recall correctly.
Jeff
| Sysop: | Jacob Catayoc |
|---|---|
| Location: | Pasay City, Metro Manila, Philippines |
| Users: | 5 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 19:03:47 |
| Calls: | 117 |
| Calls today: | 117 |
| Files: | 367 |
| D/L today: |
540 files (253M bytes) |
| Messages: | 70,845 |
| Posted today: | 26 |