On Thu, Nov 27, 2025 at 2:25 PM George Shuklin <[email protected]> wrote: > > On 11/25/25 7:39 PM, Charles Curley wrote: > > Given all that I came to ask for advice. Should we enable > unattended-upgrades in Debian for baremetal servers (the same way as > it is enabled for cloud VMs)? Mind, that this installation process is > very automated, we ask users only on their partitioning preferences, > hostname and ssh public key, so we can't simply 'ask user'. > > I suggest you enable them, and document for your users that you have > done so and how to disable them. > > Can you give arguments in favor of this option, please?
The number one threat to user machines and servers is unpatched software. Microsoft determined that 25 years ago in one of their security studies. Microsoft also found that (1) attacks on internet hosts started happening within 3 minutes of going online; and (2) a typical machine compromise happened using an exploit that was over 60 days old, if I recall correctly. And for WIndows machines, 70% of compromises happened using attacks that had been patched by antivirus software a year earlier (but the AV subscription ended, so the malware was unmitigated). There's nothing special about Microsoft -- it happens to Apple, Unix and Linux, too. Malware authors are equal opportunity. To stop the threat, you patch your machines in a timely manner. You can read more about how to design secure systems in Peter Gutmann's book Engineering Security, <https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>. The discussion on the Microsoft study was presented in Writing Secure Code by Howard and LeBlanc, if I recall correctly. Jeff
