On Thu, 27 Nov 2025 18:25:44 +0200 George Shuklin <[email protected]> wrote:
> On 11/25/25 7:39 PM, Charles Curley wrote: > >> Given all that I came to ask for advice. Should we enable > >> unattended-upgrades in Debian for baremetal servers (the same way > >> as it is enabled for cloud VMs)? Mind, that this installation > >> process is very automated, we ask users only on their partitioning > >> preferences, hostname and ssh public key, so we can't simply 'ask > >> user'. > > I suggest you enable them, and document for your users that you have > > done so and how to disable them. > > Can you give arguments in favor of this option, please? > Others have given answers with which I concur. For Debian specific advice, I'll suggest the Securing Debian Manual, Javier Fernández-Sanguino Peña, https://www.debian.org/doc/manuals/securing-debian-manual/securing-debian-manual.en.pdf and the discussion at https://wiki.debian.org/SecurityManagement I notice, however, that the Securing Debian Manual does not mention the unattended-upgrades package. Other than that, the advice there is still good. One thing to watch out for, though. You can have the unattended upgrade reboot the machine if that's appropriate. If the boot process requires a password (LUKS encryption, e.g.), you may want to disable automatic reboots and have the administrator reboot at a time when the administrator can provide that password. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
