Could you kindly provide an alternate solution? How can one patch the system not "blindly"? How to test the services in not production with production-like usage? IMHO we all must rely on upstream's QA.

Patching the system is supposed to fix known bugs and security flaws and may also bring unknown ones too. But the huge difference is that when a fix is released for a particular problem, then everybody gets to know about it at the very moment, hence the unpatched systems can be attacked much more this way. While the unknown bugs brought by the fixes may surely not be known by the wide audience. Therefore the latter is better for systems reachable through the internet.

I believe we must distinguish between systems with highly critical services on the LAN or systems on the internet. While it can be understandable to prefer not to patch the former ones at once, it is a better choice to patch the latter. So there is no good default setting. It always depends on the kind of usage.


On Thu, 1 Aug 2013 07:52:33 -0400
Vincent Liggio <[log in to unmask]> wrote:

> On Thu, 1 Aug 2013, Thomas Bendler wrote:
> 
> > Sorry, but this simply false. Every system should, by default, install security
> > patches automatically ​​after standard installation. Systems which are not
> > patched are not an option and not every admin is working on a daily basis on
> > the systems. If the admin decide not to use it, he should disable this feature
> > but it shouldn't be the default setting.
> 
> That's fine, do a single update immediately after install. If they are 
> "not an option" how come most OS's on the planet are not patched? (not 
> that this is a good thing, mind you).
> 
> I've been doing this long enough to know that patches can often break more 
> than they fix (and can introduce their own security bugs). To blindly 
> patch all the time is an immature way of being an admin.