[CentOS] why not have yum-updatesd running by default?

Thu Dec 29 19:10:59 UTC 2011
Bennett Haselton <bennett at peacefire.org>

On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell <lesmikesell at gmail.com>wrote:

> > Would it not be best for the vast majority of those users to have updates
> > turned on by default?  If not, why not?  (Power users can always turn
> them
> > off, after all.)
>
> If your service is important, then it is worth testing changes before
> making them on your important server.   But no one else can tell you
> whether your server is that important or not...   It's fairly trivial
> to run a 'yum update' on a lab server daily, and if anything  updates,
> make sure that things still work before repeating it on the production
> box(es).   The update checks can be scripted, but the "does it still
> work" test will be unique to your services.
>

But these are all considerations mainly for power users; I'm still talking
just about the vast majority of hosting company customers who just lease a
dedicated or virtual private server, and don't even have a "test server"
and a "production server".  Why wouldn't it be best for those servers just
to pick up and install updates automatically?


> > What would your proposal be?  (Remembering that you can't change human
> > nature, so if it relies on the majority of end users devoting time that
> you
> > think they "should" do, it won't happen :) )
>
> Mine is to assume that there are very good reasons for 'Enterprise'
> distributions to go to the trouble of publishing updates.  Install
> them.  Always assume that there are still more vulnerabilities that
> you don't know about yet - and if you have to ask the question, you
> aren't going to do better than the developers and Red Hat at keeping
> up with them.
>
>
>

Yes this is good advice for the individual user; what I was asking is what
set of *defaults* would improve security the most for the vast majority of
users (who cannot be counted on to change defaults -- or, indeed, to follow
any advice that anyone thinks "everyone" "should" do!).