On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell lesmikesell@gmail.comwrote:
Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn
them
off, after all.)
If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the "does it still work" test will be unique to your services.
But these are all considerations mainly for power users; I'm still talking just about the vast majority of hosting company customers who just lease a dedicated or virtual private server, and don't even have a "test server" and a "production server". Why wouldn't it be best for those servers just to pick up and install updates automatically?
What would your proposal be? (Remembering that you can't change human nature, so if it relies on the majority of end users devoting time that
you
think they "should" do, it won't happen :) )
Mine is to assume that there are very good reasons for 'Enterprise' distributions to go to the trouble of publishing updates. Install them. Always assume that there are still more vulnerabilities that you don't know about yet - and if you have to ask the question, you aren't going to do better than the developers and Red Hat at keeping up with them.
Yes this is good advice for the individual user; what I was asking is what set of *defaults* would improve security the most for the vast majority of users (who cannot be counted on to change defaults -- or, indeed, to follow any advice that anyone thinks "everyone" "should" do!).