Easier installation of security updates

Registered by Marc Deslauriers

This session will discuss ways to get security updates installed quickly and easily.

Blueprint information

Kees Cook
Marc Deslauriers
Needs approval
Marc Deslauriers
Series goal:
Accepted for maverick
Milestone target:
milestone icon ubuntu-10.10
Started by
Kees Cook

Related branches



- Is the update-manager popup enough? Is it successful? Is it too annoying?
- Is the update-manager asynchronous popup a security issue with spoofing?
- Should security updates be turned on automatically by default?
- Should update-manager gain a "Always install security updates automatically in the future?" checkbox?
- Should we remove the password requirement for security updates? (an option in the update-manager settings panel?)

Work items:
[mvo] fix unattended-upgrades config file to not hard-code the current distro_codename in it (fixes conffile prompt): DONE
[mvo] add indicator that a restart is required to the mail that unattended-upgrades sends: DONE
[mvo] add a checkbox to enable automatic updates to the update-manager dialog: TODO
[mvo] create a helper to install updates before applications start: TODO
[mvo] modify firefox packaging to use the helper on firefox startup: TODO
[mvo] modify openoffice packaging to use the helper on openoffice startup: TODO

Gobby notes:

Without automatic security updates
* people complain that prompts are in the way
* prompt the user with information to reboot or restart session or restart firefox,
  and let them decide to do it now or not

With automatic security updates installed:
* seems many people don't install updates
* openoffice and firefox upgrades are problematic with auto updates
  - can flag these as needing special attention
  - everything can be autoupdate
* critical on boot or anytime, unimportant anytime, things that require a change
  of session before shutdown
  - security at shutdown has a lot of problems

What about auto updates during screensaver

Install update when user launches the application
- must be very robust since we don't want it to never open

on execution of any application check if it needs an update based on local cache
and prompt

update-manager prompts for 'now', 'ask later' or 'on startup'

update-manager could have 'while idle' and this could be during idle/screensaver or
possibly boot

update-manager could have an option to 'Always apply' so that auto updates can
be configured easily (needs firefox and oo.o)

preferences could have more options for idle, install, etc

[action]: investigate mechanism to update firefox/oo.o/etc on start
[action] mvo: add prominent checkbox/button/shinyness to update-manager to opt
  into auto updates

- unattended upgrade works well
  - bug for when conffile is modified, and doesn't get updated and therefore
    on dist-upgrade the machine no longer auto updates (456906?, and 524545
    related to Unattended-Upgrade::Allowed-Origins being unchanged because
    of the conffile conflict due to the email address being set for every
- email requirement for rebooting a server
- notfication mechanism for servers
  - have server twitter about need for updates :) Unattended-Upgrade::0wnme


Work Items