unattended-upgrade(8)

Dmitrijs Ledkovs dmitrij.ledkov at gmail.com
Fri Apr 2 02:11:46 UTC 2010


On 1 April 2010 23:34, Alexander Schrijver
<alexander.schrijver at gmail.com> wrote:
>
> Except for the program and libraries in memory.

There is no safe way to replace anything in memory, it's buffer
overflow attack then.

> How can you ever be sure of this? For example in the case of firefox it would
> change the XUL/Javascript files. As i said, i noticed the interface would get
> messed up, but it could get messed up in a way your data couldn't be send
> anymore.
>

You can never be sure.

> I think this is a really bad policy. Most (All?) programs don't expect their
> resources to be changed while they are running. Knowingly bringing programs in
> an unknown state seems like a reallly really bad idea to me.

It's not a policy, but a default. You can comment all lines in the
config file I've mentioned before or you can $apt-get remove
unattended-upgrades if you don't like. But then it will be your
responsobility to keep your machine secure and updated.

As noted by ubuntu-mozilla there ~120 CVE reports against firefox
fixed in each release eg 4-6 months. Not all of them are pushed to
security Repository.

This default is here to keep ~3 Millions of users safe when they
install Ubuntu. As you are becoming more advanced user there are other
options available for you in Ubuntu.

Alos note data speaks better. For example Gtk issues non-critical
warnings if some of it's data files don't quite match up (eg icons
changed, non available, glade files changed) Plus those resources are
already in the memory for Gtk apps so you can delete glade files from
a running gtk app and it will continue behave normally. It might not
be able to build additional dialogs if that Gtkbuilder file is not
cached. And quite a lot of stock gnome programms they build their UI
using gtk directly without glade/gtkbuilder. Most of Ubuntu Destkop
installation is Gnome applications written to a high standard.

Can you please tell me did firefox crash for you in the end or not?

So Ubuntu decided that it is more important to keep loads of computers
updated with essential security fixes by default for a default
installation. (look on packages.ubuntu.com security subsection and
look at corresponding diffs you will notice it almost never more than
one-liners).

Obviously our unseeded packages might not be as great as apps in
*-desktop seeds so if you do find that app does not behave gracefully
because of -security update. Please file a bug.

Note this is considered more user-friendly than mandating to restart
computer, shut down applications, and install at shutdown & requiring
to do this loop a few times in a row which some other Operating
Systems do. You don't even need to restart your computer to upgrade to
a new release. (it is better though to get kernel drivers reloaded).

And again, if it doesn't seem to be appropriate for your system, then
you are free to disable unattended-upgrades on your system.

Good luck.




More information about the Ubuntu-devel-discuss mailing list