[CentOS] why not have yum-updatesd running by default?

Thu Dec 29 19:23:46 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On Thu, Dec 29, 2011 at 1:10 PM, Bennett Haselton <bennett at peacefire.org> wrote:
>
>> If your service is important, then it is worth testing changes before
>> making them on your important server.   But no one else can tell you
>> whether your server is that important or not...   It's fairly trivial
>> to run a 'yum update' on a lab server daily, and if anything  updates,
>> make sure that things still work before repeating it on the production
>> box(es).   The update checks can be scripted, but the "does it still
>> work" test will be unique to your services.
>>
>
> But these are all considerations mainly for power users; I'm still talking
> just about the vast majority of hosting company customers who just lease a
> dedicated or virtual private server, and don't even have a "test server"
> and a "production server".  Why wouldn't it be best for those servers just
> to pick up and install updates automatically?

There's a chance it will break your service.  If that isn't important
enough for you to test, then yes, you should update automatically, but
you don't get to blame someone else when it does break.  It has to be
your choice.  But you are pretty much guaranteed to have known
vulnerabilities if you don't update.  All you have to do is look at
the changelogs to see that.

>> Mine is to assume that there are very good reasons for 'Enterprise'
>> distributions to go to the trouble of publishing updates.  Install
>> them.  Always assume that there are still more vulnerabilities that
>> you don't know about yet - and if you have to ask the question, you
>> aren't going to do better than the developers and Red Hat at keeping
>> up with them.
>>
>
> Yes this is good advice for the individual user; what I was asking is what
> set of *defaults* would improve security the most for the vast majority of
> users (who cannot be counted on to change defaults -- or, indeed, to follow
> any advice that anyone thinks "everyone" "should" do!).

There is always a tradeoff between convenience and security and one
size doesn't fit all.  If everything on the site is public anyway then
the most you have to lose is the service of the machine.   If there is
something valuable to steal then you should be prepared to do some
extra work to protect it.  In any case don't install or expose any
services that aren't absolutely needed.

-- 
  Les Mikesell
    lesmikesell at gmail.com