Easier installation of security updates
This session will discuss ways to get security updates installed quickly and easily.
Blueprint information
- Status:
- Started
- Approver:
- Kees Cook
- Priority:
- High
- Drafter:
- Marc Deslauriers
- Direction:
- Needs approval
- Assignee:
- Marc Deslauriers
- Definition:
- Approved
- Series goal:
- Accepted for maverick
- Implementation:
-
Started
- Milestone target:
-
ubuntu-10.10
- Started by
- Kees Cook
- Completed by
Whiteboard
- Is the update-manager popup enough? Is it successful? Is it too annoying?
- Is the update-manager asynchronous popup a security issue with spoofing?
- Should security updates be turned on automatically by default?
- Should update-manager gain a "Always install security updates automatically in the future?" checkbox?
- Should we remove the password requirement for security updates? (an option in the update-manager settings panel?)
Work items:
[mvo] fix unattended-upgrades config file to not hard-code the current distro_codename in it (fixes conffile prompt): DONE
[mvo] add indicator that a restart is required to the mail that unattended-upgrades sends: DONE
[mvo] add a checkbox to enable automatic updates to the update-manager dialog: TODO
[mvo] create a helper to install updates before applications start: TODO
[mvo] modify firefox packaging to use the helper on firefox startup: TODO
[mvo] modify openoffice packaging to use the helper on openoffice startup: TODO
Gobby notes:
Without automatic security updates
* people complain that prompts are in the way
* prompt the user with information to reboot or restart session or restart firefox,
and let them decide to do it now or not
With automatic security updates installed:
* seems many people don't install updates
* openoffice and firefox upgrades are problematic with auto updates
- can flag these as needing special attention
- everything can be autoupdate
* critical on boot or anytime, unimportant anytime, things that require a change
of session before shutdown
- security at shutdown has a lot of problems
Options
-------
What about auto updates during screensaver
Install update when user launches the application
- must be very robust since we don't want it to never open
on execution of any application check if it needs an update based on local cache
and prompt
update-manager prompts for 'now', 'ask later' or 'on startup'
update-manager could have 'while idle' and this could be during idle/screensaver or
possibly boot
update-manager could have an option to 'Always apply' so that auto updates can
be configured easily (needs firefox and oo.o)
preferences could have more options for idle, install, etc
Outcome
-------
[action]: investigate mechanism to update firefox/oo.o/etc on start
[action] mvo: add prominent checkbox/
into auto updates
Server
------
- unattended upgrade works well
- bug for when conffile is modified, and doesn't get updated and therefore
on dist-upgrade the machine no longer auto updates (456906?, and 524545
related to Unattended-
of the conffile conflict due to the email address being set for every
install)
- email requirement for rebooting a server
https:/
- notfication mechanism for servers
- have server twitter about need for updates :) Unattended-
