On Wed, 3 Sep 2003, Paul Schmehl wrote: > > Enabling a world-wide auto-update feature does indeed seem much of a > > security risk to me. > > > More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or > cvsup for *BSD? cvsup (or cvs) to update to new operating system or ports/pkgsrc sources is different because: - you don't get the final product; the binaries are not built automatically nor installed. - it is used to build from source; and the source code changes can be compared and reviewed by anyone. Jeremy C. Reed http://bsd.reedmedia.net/ p.s. If you are a pkgsrc user, be sure to install and use security/audit-packages. p.p.s. I help run a BSD security update service; I don't think any of our customers automatically upgrade with security updates although it is possible.
