On Thu, Nov 27, 2025 at 06:25:44PM +0200, George Shuklin wrote: > On 11/25/25 7:39 PM, Charles Curley wrote: > > > Given all that I came to ask for advice. Should we enable > > > unattended-upgrades in Debian for baremetal servers (the same way as > > > it is enabled for cloud VMs)? Mind, that this installation process is > > > very automated, we ask users only on their partitioning preferences, > > > hostname and ssh public key, so we can't simply 'ask user'. > > I suggest you enable them, and document for your users that you have > > done so and how to disable them. > > Can you give arguments in favor of this option, please? >
The general security advice is to patch regularly and to keep up with security updates - this from various governments' cyber security authorities and because malevolent actors start exploiting vulnerabilities early. The only counter indication is if updates require a restart to install a new kernel or whatever - at which point there is an interruption in service. Probably better to provide upgrades without needing further explicit action from the users - but warn them that you've done so. All best, as ever, Andy ([email protected])
