On 07/31/2013 12:20 PM, Paul Robert Marino wrote:
> Agreed but as I said without restarting your services or rebooting in
> the case of a kernel the auto update can create a false sense of
> security.

Generally disagree.  That might be true of some badly designed packages 
but have a look at the ssh server rpm scripts as an example:

preinstall scriptlet (using /bin/sh):
/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
         -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add sshd
preuninstall scriptlet (using /bin/sh):
if [ "$1" = 0 ]
then
         /sbin/service sshd stop > /dev/null 2>&1 || :
         /sbin/chkconfig --del sshd
fi
postuninstall scriptlet (using /bin/sh):
/sbin/service sshd condrestart > /dev/null 2>&1 ||

Given how few things are remotely accessible by default it is nice to 
know that the most important one (ssh) is at least going to be running 
the latest version.

> Also in production environments an auto updates occasionally
> break thing and it can take sysadmins hours to figure out what happened.
> If sysadmins plan their updates in regular cycles it allows them to
> first test on a introduction host. When they test first they should be
> able to discover any issue and workaround and or avoid them entirely
> when the updates get pushed into production. Also is something does
> break in production after a planned update they know what changed rather
> than having a mysterious failure which seemed to appear from nowhere.

Agreed, but if you are already doing all that why can't you turn off 
automatic updates manually when the system is first installed?

Jeff