On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell <lesmikesell at gmail.com>wrote: > > Would it not be best for the vast majority of those users to have updates > > turned on by default? If not, why not? (Power users can always turn > them > > off, after all.) > > If your service is important, then it is worth testing changes before > making them on your important server. But no one else can tell you > whether your server is that important or not... It's fairly trivial > to run a 'yum update' on a lab server daily, and if anything updates, > make sure that things still work before repeating it on the production > box(es). The update checks can be scripted, but the "does it still > work" test will be unique to your services. > But these are all considerations mainly for power users; I'm still talking just about the vast majority of hosting company customers who just lease a dedicated or virtual private server, and don't even have a "test server" and a "production server". Why wouldn't it be best for those servers just to pick up and install updates automatically? > > What would your proposal be? (Remembering that you can't change human > > nature, so if it relies on the majority of end users devoting time that > you > > think they "should" do, it won't happen :) ) > > Mine is to assume that there are very good reasons for 'Enterprise' > distributions to go to the trouble of publishing updates. Install > them. Always assume that there are still more vulnerabilities that > you don't know about yet - and if you have to ask the question, you > aren't going to do better than the developers and Red Hat at keeping > up with them. > > > Yes this is good advice for the individual user; what I was asking is what set of *defaults* would improve security the most for the vast majority of users (who cannot be counted on to change defaults -- or, indeed, to follow any advice that anyone thinks "everyone" "should" do!).