Easier installation of security updates

Registered by Marc Deslauriers

This session will discuss ways to get security updates installed quickly and easily.

Blueprint information

Status:
Started
Approver:
Kees Cook
Priority:
High
Drafter:
Marc Deslauriers
Direction:
Needs approval
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for maverick
Implementation:
Started
Milestone target:
milestone icon ubuntu-10.10
Started by
Kees Cook

Related branches

Sprints

Whiteboard

- Is the update-manager popup enough? Is it successful? Is it too annoying?
- Is the update-manager asynchronous popup a security issue with spoofing?
- Should security updates be turned on automatically by default?
- Should update-manager gain a "Always install security updates automatically in the future?" checkbox?
- Should we remove the password requirement for security updates? (an option in the update-manager settings panel?)

Work items:
[mvo] fix unattended-upgrades config file to not hard-code the current distro_codename in it (fixes conffile prompt): DONE
[mvo] add indicator that a restart is required to the mail that unattended-upgrades sends: DONE
[mvo] add a checkbox to enable automatic updates to the update-manager dialog: TODO
[mvo] create a helper to install updates before applications start: TODO
[mvo] modify firefox packaging to use the helper on firefox startup: TODO
[mvo] modify openoffice packaging to use the helper on openoffice startup: TODO

Gobby notes:

Without automatic security updates
* people complain that prompts are in the way
* prompt the user with information to reboot or restart session or restart firefox,
  and let them decide to do it now or not

With automatic security updates installed:
* seems many people don't install updates
* openoffice and firefox upgrades are problematic with auto updates
  - can flag these as needing special attention
  - everything can be autoupdate
* critical on boot or anytime, unimportant anytime, things that require a change
  of session before shutdown
  - security at shutdown has a lot of problems

Options
-------
What about auto updates during screensaver

Install update when user launches the application
- must be very robust since we don't want it to never open

on execution of any application check if it needs an update based on local cache
and prompt

update-manager prompts for 'now', 'ask later' or 'on startup'

update-manager could have 'while idle' and this could be during idle/screensaver or
possibly boot

update-manager could have an option to 'Always apply' so that auto updates can
be configured easily (needs firefox and oo.o)

preferences could have more options for idle, install, etc

Outcome
-------
[action]: investigate mechanism to update firefox/oo.o/etc on start
[action] mvo: add prominent checkbox/button/shinyness to update-manager to opt
  into auto updates

Server
------
- unattended upgrade works well
  - bug for when conffile is modified, and doesn't get updated and therefore
    on dist-upgrade the machine no longer auto updates (456906?, and 524545
    related to Unattended-Upgrade::Allowed-Origins being unchanged because
    of the conffile conflict due to the email address being set for every
    install)
- email requirement for rebooting a server
  https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/415202
- notfication mechanism for servers
  - have server twitter about need for updates :) Unattended-Upgrade::0wnme

(?)

Work Items