Unattended updates

Ivan Krstic krstic at fas.harvard.edu
Fri Jun 30 12:33:08 BST 2006

David Nielsen wrote:
> That being said if the system starts doing underhanded automatic
> installs I would think that if the user has 3rd party repos in his
> sources.list we would be subject to some nasty spoofing attacks 

I'm not sure what it'll take to have people stop talking about this as
if it were to be written sometime in the future. This exists, it's
written already, and it's in Dapper. It's also resistant to the kind of
attack David proposes, since it requires explicit specification of
(origin, archive) tuples for which unattended upgrades are allowed:

krstic at aeryn:~> cat /etc/apt/apt.conf.d/50unattended-upgrades
// allowed (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu dapper-security";
//      "Ubuntu dapper-updates";

// never update the packages in this list
Unattended-Upgrade::Package-Blacklist {
//      "vim";

Ivan Krstic <krstic at fas.harvard.edu> | GPG: 0x147C722D

More information about the ubuntu-devel mailing list