These are my update settings in 24.04:
I’m presented with dozens of package updates daily, sometimes multiple times a day. This is obnoxious.
Are there really this many security updates? Maybe there’s a bug in how the settings are applied.
If there are really this many security updates, I’d suggest creating a distinction between minor theoretical security issues and major issues with known exploits. Only the latter should update daily.
That does not sound right, do you have by chance accidentally enabled the proposed pocket in the developer options tab (note this should not be permanently enabled)
Try changing the “When there are security updates:” option
Your current setting (“Display Immediately”) tells the system that you want to inspect every update immediately. If you find that to be obnoxious, you can change it.
Here’s an example of a just-do-it-without-pestering-me option…
@ogra Proposed is not selected.
@ian-weisser I definitely do not want anything installed without my explicit knowledge and permission. I understand what “display immediately” means and it matches my intention. I am questioning whether there are really numerous security updates every day, or whether Ubuntu is being over-zealous in identifying updates as security updates.
The documentation for unattended-upgrades does explain what pockets it looks at by default…
You can also watch the noble-changes mailing list to see all non-security updates that get released:
Oh, that’s easy for you find out for yourself.
Examine the changelog for every security update, and you’ll see that that they all mitigate CVEs. Those are, by definition, security updates.
Yes, there are that many.
The support category is very much the wrong place to make suggestions.
Once you discover the correct place, you’re going to need to come up with a rock-solid definition of what’s minor vs. major, and get some of the pickiest security engineers in the world to agree. If that were easy, it would have been done long ago.
You’re going to need to justify withholding security updates from a rather large crowd of very angry sysadmins because “somebody thought they were minor.” That’s how lawsuits get started, so you’re also going need to convince a lot of lawyers that withholding security updates from you is a really good idea.
It’s unclear if you’re finding the number of updates obnoxious, or if perhaps you are finding the unexpected interruption to be the problem. The latter can be very easily remedied several convenient ways.
@ian-weisser Fortunately there’s already a definition that security experts agree on: Common Vulnerability Scoring System
I’m finding the number of updates obnoxious. I consider the number of updates itself to be a security issue, because it pushes me to turn off daily notifications for security updates. I’d like to be notified daily of security updates over some threshold CVSS and weekly of everything else.
Where is the right place to make suggestions?
The appropriate place to make suggestions to improve Ubuntu is the bug tracker at launchpad.net
FYI there is also The ubuntu-security-announce Archives which will actually announce all found USNs (Ubuntu Security Notices)
Regarding the prioritization of USNs, there is a blog article from the Ubuntu Security team about it:
https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation
By default only high and critical rated vulnerabilities are getting fixed usually … (others are best effort but most of the time fall through)
@ogra That blog post is interesting. It sounds like Ubuntu is already doing exactly what @ian-weisser suggested would get a bunch of lawyers riled up. Namely, they’re making decisions for us about the priority of security issues. This is a good thing. They’re following the CVSS recommendation of not basing risk assessment exclusively on the CVSS rating, but considering other factors that are relevant to an organization, like how many people are using the package.
The blog says Ubuntu averages over 3 security updates per day, and mentions prioritizing high and critical vulns, but doesn’t explicitly say the 3 per day are mostly high and critical. When I log in and see 10-20 security updates, maybe it’s really just 3 security updates and a bunch of version-dependent packages.
Yes, that’s most likely. Security updates are critical in this age. If you find them “obnoxious”, you can change your settings to be more like Windows, and update only weekly. Personally, I’m pleased that Canonical takes the time to address security problems as fast as it is capable of doing.
Maintenance is costly! In addition, each time updates are provided, there’s always a small risk of problems (which is why Ubuntu utilises phased updates). Therefore, Canonical wouldn’t waste money and increase risk by being “overzealous”.
I run updates daily on all of my devices (not just Ubuntu; also Android and others) to protect them and me. But, if you don’t like it, set your updates to weekly instead of daily. I don’t advise it, though.
