[CentOS] why not have yum-updatesd running by default?

Wed Dec 28 08:04:11 UTC 2011
Bennett Haselton <bennett at peacefire.org>

Ever since someone told me that one of my servers might have been hacked
(not the most recent instance) because I wasn't applying updates as soon as
they became available, I've been logging in and running "yum update"
religiously once a week until I found out how to set the yum-updatesd
service to do the equivalent automatically (once per hour, I think).

Since then, I've leased dedicated servers from several different companies,
and on all of them, I had to set up yum-updatesd to run and check for
updates -- by default it was off.  Why isn't it on by default?  Or is it
being considered to make it the default in the future?

Power users can always change it if they want; the question is what would
be better for the vast majority of users who don't change defaults.  In
that case it would seem better to have updates on, so that they'll get
patched if an exploit is released but a patch is available.

If the risk is that a buggy update might crash the machine, then that has
to be weighed against the possibility of *not* getting updates, and getting
hacked as a result -- usually the latter being worse.

After all, if users are exhorted to log in to their machines and check for
updates and apply them, that implies that the risk of getting hosed by a
buggy update is outweighed by the risk of getting hacked by not applying
updates.  If that's true for updates that are applied manually, it ought to
be true for updates that are downloaded and applied automatically,
shouldn't it?

Bennett