[CentOS] Auto-installing security updates?

Tue May 19 17:34:24 UTC 2009
nate <centos at linuxpowered.net>

Anne Wilson wrote:
> I've been asked to think about setting up an installation for a recently-
> widowed man.  His needs are small - mail, Internet, on-line banking,
> basically
> - but his wife dealt with all of it on her laptop and he feels very
> insecure.
>
> It seems to me that CentOS would be perfect for him except for the need to
> keep it securely patched.  I'm wondering if it's possible to auto-install
> security updates - for that matter, with so small a set of applications
> perhaps auto-installing every update would be good enough.
>
> Maybe this could be done with a script run under cron.daily, so that anacron
> picks it up?

Wasn't there some special process you had to go through when going
from 5.2 to 5.3? Something along the lines of having to manually update
one(or more) packages before upgrading the rest of the system? I see
that sort of issue as being very problematic for anything that auto
installs updates.

http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.3#head-198f803bc13b52348780db429ae42e0daf82282b

I think a better solution would be an Ubuntu LTS installation, it's
more geared for that type of person, and provides pretty seamless
upgrades for minor and major versions in my experience.

Debian has a nice system in that I can "fix" the configuration file
for apt-get to force it to the current release of the product(the
default is to point to whatever is the current "stable" release),
which will make sure all updates applied to the system are 100%
compatible. If/when I decide to go to a newer version I can take
the time to read the release notes and change the configuration
to point to the next major version of the distro, otherwise you
can fall into a similar trap, having a system blindly try to apply
updates that may be out of order for a major version change.

Not everyone keeps up to date on the day a particular release comes
out.

Ubuntu solves that by placing an easy to use button on the update
manager to update to the next version of the distro or you can
keep getting packages from the existing version, of course it's
only maintained for so long. My sister's laptop was so out of date
(and wasn't on a LTS version at the time), I had to jump through
a few hoops to get it updated as the intermediate versions were
no longer on the main mirror sites. I think her laptop was 3
releases behind at the time.

Major version changes on a RHEL-system are even more complicated,
even Red hat advises doing a clean install.

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch-upgrade-x86.html

SuSE used to be pretty good at upgrading as well though it's been
a few years since I used it.

RHEL/CentOS are great for servers, and perhaps managed workstations
(thinking of replacements for things like Sun/SGI/HP-UX workstations,
and perhaps corporate desktops), I don't see it as a good candidate
for many other things, but that's why there are multiple distributions,
no distro is good at everything.

nate