[Bug 1700930] Re: Default action policy for "Security Updates" changed between 14.04 and 16.04

Etienne Papegnies etienne.papegnies at univ-avignon.fr
Wed Sep 13 08:23:18 UTC 2017 

So, errata. Turns out I was wrong too.

I met @kirkland Dustin Kirkland at ubuncon-europe last week end and we
talked about this.

It turns out this change IS official policy and is advertised here:

https://insights.ubuntu.com/2016/12/08/ubuntu-16-04-lts-security-a-comprehensive-overview/
https://wiki.ubuntu.com/Security/Features

I still feel this was somewhat under reported and that the classic media
sources that cover Ubuntu have dropped the ball big time but I can't
fault Ubuntu for that so I'm closing this issue.

I'll just have to remember to turn this off on any new install or mention it to
the machine's owner and explain the possible consequences.

** Changed in: unattended-upgrades (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1700930

Title:
  Default action policy for "Security Updates" changed between 14.04 and
  16.04

Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  In Ubuntu 14.04.5, the default policy under the "Updates" tab for
  "Security Updates" is set to "Display Immediately".

  In Ubuntu 16.04+, the default policy is now "Download and Install
  Immediately".

  I think this occurred due to the fix rolled out for bug #1554099.

  This has the following consequences:

  - Users may be denied apt lock when trying to install software because
  unattended-upgrades is running in the background.

  - If a shutdown is forced when the background update is running, users
  may be left with an unstable system

  - In case the update server is compromised and made to deliver
  malware, the blow to the userbase will be massive

  - From a PR standpoint, this moves away from the previous "your system
  won't ever do stuff without your permission" default policy.

  I'm of the opinion that the "Display Immediately" default should be
  rolled back. Failing that at least an official policy change
  announcement should be published so that users are made aware of this
  new default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1700930/+subscriptions

More information about the foundations-bugs mailing list