Easier installation of security updates

Registered by Marc Deslauriers on 2010-04-28

This session will discuss ways to get security updates installed quickly and easily.

Blueprint information

Kees Cook
Marc Deslauriers
Needs approval
Marc Deslauriers
Series goal:
Accepted for maverick
Milestone target:
milestone icon ubuntu-10.10
Started by
Kees Cook

Related branches



- Is the update-manager popup enough? Is it successful? Is it too annoying?
- Is the update-manager asynchronous popup a security issue with spoofing?
- Should security updates be turned on automatically by default?
- Should update-manager gain a "Always install security updates automatically in the future?" checkbox?
- Should we remove the password requirement for security updates? (an option in the update-manager settings panel?)

Work items:
[mvo] fix unattended-upgrades config file to not hard-code the current distro_codename in it (fixes conffile prompt): DONE
[mvo] add indicator that a restart is required to the mail that unattended-upgrades sends: DONE
[mvo] add a checkbox to enable automatic updates to the update-manager dialog: TODO
[mvo] create a helper to install updates before applications start: TODO
[mvo] modify firefox packaging to use the helper on firefox startup: TODO
[mvo] modify openoffice packaging to use the helper on openoffice startup: TODO

Gobby notes:

Without automatic security updates
* people complain that prompts are in the way
* prompt the user with information to reboot or restart session or restart firefox,
  and let them decide to do it now or not

With automatic security updates installed:
* seems many people don't install updates
* openoffice and firefox upgrades are problematic with auto updates
  - can flag these as needing special attention
  - everything can be autoupdate
* critical on boot or anytime, unimportant anytime, things that require a change
  of session before shutdown
  - security at shutdown has a lot of problems

What about auto updates during screensaver

Install update when user launches the application
- must be very robust since we don't want it to never open

on execution of any application check if it needs an update based on local cache
and prompt

update-manager prompts for 'now', 'ask later' or 'on startup'

update-manager could have 'while idle' and this could be during idle/screensaver or
possibly boot

update-manager could have an option to 'Always apply' so that auto updates can
be configured easily (needs firefox and oo.o)

preferences could have more options for idle, install, etc

[action]: investigate mechanism to update firefox/oo.o/etc on start
[action] mvo: add prominent checkbox/button/shinyness to update-manager to opt
  into auto updates

- unattended upgrade works well
  - bug for when conffile is modified, and doesn't get updated and therefore
    on dist-upgrade the machine no longer auto updates (456906?, and 524545
    related to Unattended-Upgrade::Allowed-Origins being unchanged because
    of the conffile conflict due to the email address being set for every
- email requirement for rebooting a server
- notfication mechanism for servers
  - have server twitter about need for updates :) Unattended-Upgrade::0wnme


Work Items