@ogra The target audience for people to remove unattended upgrades is not the newbies or first-timers on here. You are correct, I should have emphasised that regular manual updating is good practice, which is what I do.
What this moderator should have done is to pm me and point out that perhaps it would be a good idea to emphasise that manual updating is a good idea, not to place a large coloured banner over the top of my post.
That is not the way to behave, it just gets poster’s backs up. I will edit my subsequent post.
I see many new users coming from Windows and I often read “because linux gives me more control” … this is indeed true but if you read the thread where this one got split off from, you yourself mention:
This will give you full control over when and how updates are installed, which is crucial for managing dependencies and system stability
So I as that new user coming from Windows doing my first steps in linux read your post and I read:
“will give me full control” (Yes !! this is why I switched, let’s do this!!) and “If I leave it as it is dependencies and stability are at risk” (OMG, so that linux sh*t I switched to doesn’t work out of the box, I better turn this automatic feature off and manage it manually so it does not get unstable or break its dependencies)
Words are important and your audience might not always be what you want (or expect) it to be … This is a public forum and you can not control who reads your posts even if you assume this thread is “For advanced users only” it might not be the the people that actually read your post (or found it through a google search or whatnot) …
Oliver - Yes I agree with most of what you say. However, the moderator instead of sending me a pm and saying “hey perhaps you forgot to say this could expose the system unless you do manual updates” chose to slap a massive banner over the top saying in his OPINON security was more important than anything else-that is just that - a matter of opinion. I personally think the ability to remove hidden software that does things you do not know is happening in the background is far more important.
The whole point of a Linux system is the ability to tinker and make it behave in the way the user wants-that in my OPINION is way more important than some possible security issue that may never occur anyway.
Well, not sure what you call hidden in a linux system, unattended-upgrades is part of Ubuntu, has a very valid reason to exist and it is well documented how it works, what it does and that it is enabled by default in Ubuntu …
It feels a bit like telling someone the brake pipes on their car are a hidden feature (you can’t see them !) and they should remove them because that saves weight and thus your car runs faster (… and beyond that you should have full control over the car anyway, you own it at last, screw that manufacturer and their weird sense of security !!)
If you feel like something in Ubuntu is too hidden and not well enough explained, raise it with the documentation team, make it better known and less “hidden”, if you feel the GUI frontend in software-properties that controls unattended-upgrades is not descriptive enough, by all means file a bug, IMHO it is descriptive enough though and properly tells you what unattended-upgrades will do if you pick the options in it:
Ogra - The point is that it is not explicitly pointed out at the point of installation that unattended upgrades in the background are the default.
Unless you have an issue such as the op then how would you know unless you happen to click on the upgrades page? There is so much else going on with any modern system, to look at every single item in the system settings would literally take days if you look in every nook and cranny.
Well, “why would you” is the question at hand here …
By default an Ubuntu system will keep itself secure (by simply only updating existing packages with CVE fixes, it will not add or remove packages without you knowing or alter anything of the system at all, all it does is to pull the CVE fixes from security.ubuntu.com and install them)
I think it is rather logical to look at the software and updates settings when you want to change it …
If you install any third party stuff like the OP did, you should really inform yourself about the risks (i.e. that it is a known fact that the closed source amdgpu drivers can cause issues with libav, mesa and the kernel (beyond the fact that you should really only use these drivers for very certain use-cases (mainly commercial ones, because these drivers get certification for certtain commercially used apps)) and if one of the known risks is that unattended-upgrades gets in your way, indeed turn them off by using the proper documented method to do this
On a side note, unattended-upgrades is a core part of apt and the package management which is why you should always either use the GUI or apt-config to adjust it (see apt-config dump APT::Periodic for some of the settings that allow you to turn off unattended-upgrades) instead of editing any config files directly that interact with the rest of the package management or even randomly disable single systemd units without taking into account if/how that could affect the rest of apt, this is like pulling out a random gear from your cars transmission and believing that this will only affect one single feature of it …
Oliver - I had a look at the apt-config and couldn’t work it out. Anyway, it really doesn’t matter. I just chug on my merry way and if I break it, I just revert to a backup, it’s not really such a critical thing in my world.
Cheers Tony
Well, I don’t care if you break your system (and will happily help you fix it if you feel like asking for help then), but you were suggesting things to other people that might not have a backup handy, that was the whole point of me speaking up
Mmm, The very first thing you learn when using computers is to have a recent backup, to me that goes without saying if a seasoned user doesn’t have a backup, then they deserve all they get.
The fact that unattended updates are the default is not being told anywhere.
So it can be a surprise to find out that these are happening.
Not everybody uses these GUI tools, especially if they run a server without GUI at all.
My use case here is a Python server in the internal network that has a very fickle system configuration and should be maintained unmodified in any case. Not even security updates that could change things and introduce issues. As it is reachable only to a few development workstations, the potential cost of identifying issues introduced by updates would be enormous, as the suspect would be first the software being developed, and not the unattended update no one suspected to happen.
Just because I need a reliable test system that is not at risk to change behaviour or even break every moment due to a botched update (like those so loved by Windows™ users), my posts got flagged, tagged with warnings, deleted, closed and my account got muted for weeks.
Personally, I find this not a constructive handling of legitimate questions for legit use cases.
@psychotux I could not agree more.
The way the moderators behave on this forum is not to handle things in a diplomatic and thoughtful manner. Accepting the fact that each one gives of their time and effort freely for no reward does go some way in mitigating their over-zealous attitude. Coming from Ubuntu forums, it is rather a shock to the system to have our posts treated in such a cavalier manner. We are all here trying to learn and assist each other and I am quite saddened by this.
I too have had my system borked by unattended upgrades in the past when I installed a new system and forgot to disable unattended upgrades.
It should be an option at install time with a couple of lines of what they do.
Have you filed bugs about this ? If you did not tweak your system in unusual ways (like installing random third party drivers outside of the archive for example that are known to regularly break) this is not supposed to happen, particularly security updates undergo a significant amount of testing against packages they interact with and they usually also do never touch existing configuration (i.e. by design you really only get these CVE fixed binaries and nothing more), so breakage is not actually supposed to happen, if it does the developer team definitely wants to know about it …
It is not that rare that emergency patches have to make functional changes, disable stuff etc.
So the least would be some source of information what has been patched when, and the readmes/patchnotes describing the changes the patch introduced.
There should imho be special handling of patches that do change functionality.
Email notification should be possible, so the sysadmins are alerted, instead of forcing thousands of admins and users to unnecessary waste time to investigate what suddenly broke their working systems.
and use OpenSCAP with it if you prefer to not use the pro client for this …
And not to mention the USN database that provides RSS, Mail and ATOM feeds for you:
If there are functional changes the tests are usually covering these, do not forget that Canonical is on the CVE embargo lists, there has usually been a lot more time spent on a fix than you see from the outside given Canonical gets info about a vulnerability way ahead of the public to integrate and test the fixes …
Oliver - Listing these is all very well and good, but a busy sysop doesn’t have the time to go chasing and reading every notice about every single unattended upgrade that is pushed through. It is just not practical for you to post a myriad of links in a multitude of your posts to say “but here’s all the information you need”.
You have entirely missed the point.
Repeating myself, if an O/S functions in the way you describe, it is incumbent upon those doing the thrusting to make unsuspecting recipients aware of it at the point of installation.
You keep on repeating the mantra of “this is the way Ubuntu works” just does not cut it.
Sorry, but the OP asked about a way to get email notifications about coming and released CVEs (link 2 and 3), which is what I linked to, they were also asking about “how do I know if a CVE affects me?” I sent that same information (link 1) that shows you how to use a pre-installed default tool that will exactly tell you what packages on your system have an open CVE and if there is a fix pending to install …
Seriously what else do you expect here ?
All this is pretty industry standard and used by millions of paying Canonical customers out there happily …
Very simple and built-in into every single Ubuntu install out there:
Oliver - Every time I tried that it sends me off to sites that require login credentials or to some esoteric site that I don’t have a clue how to operate within.
You still have not addressed the main point about informing users about unattended upgrades at the point of installation. That is the main thrust of this thread and you have totally ignored it.
(… and beyond that you should have full control over the car anyway, you own it at last, screw that manufacturer and their weird sense of security !!)