enterprise-ubuntu team mailing list archive

Thread
Date

Unwanted updates/staging

To: "enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx" <enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
From: Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>
Date: Tue, 27 Nov 2012 16:06:40 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2

Hello,

I wanted to get your opinions/experiences/solutions used for automaticupdates.


I guess the 3 most common automatic upgrades approach are:
1. Go with it - install everything from upstream repositories.

2. Delay it - make a set of machines test the updates first before theyare deployed everywhere

3. Verify it - go through each update and (dis)approve
4. Abandon it - Linux is secure, why should I update it?
(note I meant 3 are most common, 4th is not ;)

For 10.04 we went with 1. but under the exception that some packageswere modified like in 3.For 12.04 we go with 1. - the custom packages are added-on and do notoverride any package from Ubuntu.


The advantages of 1. are numerous:

1. Security - your systems are always up-to-date and you are unlikely tobe behind with security vulnerabilities

2. Low (or no) amount of human intervention required. It just happens.

3. You are free to use any of the official Ubuntu mirrors on theInternet. Company laptops do not need to rely on corporate network toget updates.


The problems we have with 1. are:

1. You never know what's going to happen with the next update,especially if you have custom add-ons to updated software. In some casesyou need to adjust your add-ons quickly. By custom add-ons I also meancustom configuration.

2. There is no way to actually block a package that causes issues.

Although Ubuntu provides the -proposed repository where packages thatwill land in main reside for at least a week (that would be enough forus to either prepare assisting changes or report that the packagescauses issues here), we had a number of issues with updates that landedin -security which does not do staging in -proposed. Namely, these wereFirefox and Thunderbird.

I did not find a reasonable tool to do 2 or 3. Perhaps Landscape can doit, though I believe some required functionality is in development yet.We have used reprepro for filtering the package updates, but this causedanother issue: when people went home, they either had no access toregular packages (no corporate connection) or they got updates fromUbuntu upstream that broke their environment.

So, I was thinking how you approached the topic? Perhaps somebody hastheir custom Ubuntu repositories (not add-on repositories, I mean thewhole ~100GB/distro) on the Internet? Or did you do some tweaks to blockupdates to specific software before it's tested?


Cheers,
Ballock

Follow ups

Re: [Internet] Unwanted updates/staging
From: Dumond Stéphane CNE (SCA BCCP STSISI), 2012-11-27