Scot L. Harris wrote: > IMHO automatic updates may be fine for home users, and for home users > should probably be the default. But for production level > systems/servers I would never permit automatic updates. First problem > is having an updated package knock your service down or worse cause your > system to lose data. Second problem is security. If the particular > mirror being used happens to get compromised then you could have dozens > if not hundreds of systems running trojan software which reports back to > the person that compromised the mirror. That's been thought about, and there is a mechanism in place to stop it happening. Assuming that you actually imported the right GPG keys, and still have gpgcheck=1 in your /etc/yum.conf, then there is no way for an attacker to generate packages that your system will accept unless they have a copy of the *private* key corresponding to one you installed. The whole point of the GPG key palaver is to prevent rogue mirrors and other errors in transmission. > Taking a few minutes to review security updates and package updates is > worth it. I thoroughly agree (assuming the reviewer has the basic IT competence to understand the notifications). > In a true production environment one would never auto update > the production system. Such changes would be done on a staging > environment and testing performed to make sure everything works as > expected. Then a planned roll out of the updates can be scheduled. I wish! *Lots* of (usually small) companies will try "fire and forget" with their servers, be they Windows, Linux, or whatever. They may not *have* an IT staff, and decide that they will only get someone in to set up new systems or when there is a problem. In such cases, the only rational thing for the installer to do is to completely firewall the server (not exactly possible for e-mail servers...) or to trust the auto-update. James. -- James Wilkinson | After all, all he did was string together a lot Exeter Devon UK | of old, well-known quotations. E-mail address: james | -- H.L. Mencken, on Shakespeare @westexe.demon.co.uk |
