Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I wouldn't do auto-updates. No way. Especially cron-based, as they are unattended. If I had to I'd use cheff or ansible to update machines at desired time. On-demand basis and keep an eye on machines while update is running.
Updates are likely to impair server stability. That's not something I'd like to happen when I'm not prepared. Neithet at SOD nor EOD.
As for security -- anything running as root can have vulns granting root shell. Not to mention lateral attacks, like bit row hammering. Or smth more common, like sudoers misconfig or accidental suid in insecure script :) -
@netikras Same, I've had issues with this for a few months on my mailers actually, as I nuked my php-fpm config with an unattended upgrade through a Termux script I wrote, and consequently broke Roundcube. Coincidentally I fixed that error today.. but that really taught me that unattended upgrades are no good for stability, especially when it comes to servers.
-
@cursee that is the problem.
If you have 50% chance of it being good it also means than you have 50% change of it being a total disaster and honestly it is a risk not worth taking. -
@hell ah life and humans are complicated 🤷♂️
-
@cursee it isn't, we just talk too much. Leave the bullshit aside and everything is simple.
-
@hell but but bullshit is in each and every one of us 🕺
I've got a confession to make.
A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..
What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.
What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.
What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.
At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?
rant