Quoting Joe Harrington <jh@xxxxxxxxxxxxxxxxxxxxxxxxx>: > > The FLP does not recommend night yum updates via cron, which is what I > > think you are recommending here. Is this the recommendation of the > > Fedora Project? > > If you type 'chkconfig yum on', you get nightly updates in FC. It's Of course, but it is recommend, and if so, for what uses? > designed to do it, and since FC1 there have been no updates that > required any special handling. That's quite amazing... We've no end of things that need special handling here with the RHL releases (restarting daemons, upgrading versus updating, rebooting after a kernel update, etc). Even had some bugs (lilo update not working during a kernel update, etc). > Even the kernel gets updated this way, > without problems. As an example, it doesn't reboot to the new kernel. So that is an extra step that is needed. If I just do auto updates without checking what was done, how do I know I need to reboot to the new kernel? If I don't, then I'm not protected by the new security update to the kernel. Similar for restarting daemons, etc. > I don't see that there is any expectation that the > notices will be read. I believe that RHEL operates this way, too, as > do many/most distros nowadays (e.g., Debian Ubuntu, cAos). I can accept if Fedora Project does this, but I know of no other that does. If there was no need to read the advisory we simply wouldn't issue any advisories with the updates. > I don't > know about official policy, but I also don't know anyone who would > risk operating any other way. The net has become an increasingly > dangerous place to compute. See the archives recently about this, and/or refer to http://www.fedoralegacy.org/docs/autoupdates.php > > 1) Whether an update *doesn't* apply to me. So I want to get all the > > updates, read them, and *know* that it doesn't apply to me. So if my > > boss, wife, who ever asks me "did you install the latest XYZ update?" > > or "should I install the latest XYZ update?" or "Why didn't you install > > the latest XYZ update?" or what ever, I can say with confidence "I > researched > > the issue and that vulnerability doesn't apply in our case." > > Sounds labor-intense to me. That's why they call having a job "labor" because it is labor intensive. > Why not just take them all when they come > out? Because my boss will not accept the answer "I don't know if we need/have the update or not, but I turned on auto updates so it should be installing them if their needed, but I don't know for sure if there is an update yet or if I need to take other action to protect us in case there isn't an update yet, and I can't tell you for certain the repository I use is up and current so that it was really installed or not if there is an update, and..." By then he would stop me and fire me. > yum will figure out whether you have the package, and will > update it if so. This seems to be what's done by the vast majority of > users nowadays. Then you can just say "yes", "yes", and "it got it > automatically the night after it hit the net" to the person asking the > questions, without needing to look up from the novel you'll now have > time to read. :-) Well, how do I know this? At a minimum, I need to know that there is an update (either read the advisory or check the yum log), and I need to check that it was installed at least (check the yum log), and then I need to verify the update fixed the problem (reboot needed, daemon restart needed, etc). All this is something that simply issuing a "chkconfig yum on" won't do. > If it's not the recommendation of FLP to do automatic nightly yum > updates off your repos, it should be, as it will be the practice of > most FC users regardless of what you recommend. Please see above link. > If you make a point > of advising otherwise, it will be a strong enough incentive for many > people to switch away from Fedora completely, and go with a distro > that does support it for the long term. I don't think you will find any such distro. Even Microsoft doesn't recommend doing automated updates. > FWIW, my FC1 machines have > been doing fine operating in this mode off your repos, so it doesn't > appear you need to do much, other than avoid making packages that > require manual installation. See the archives from a couple weeks ago to see otherwise. > --jh-- -- Eric Rostetter -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list