Correctly install security updates on Debian #129
Conversation
|
I also stumbled across this issue. I wonder whether it would be better to switch to the more powerful |
|
I can't see anything in the Origin for my packages which would help the switch from That seems imply changes to the configuration anyway - although I'm not sure what the stock Debian configuration looks like. I'm all for using the updated syntax too where supported. If you can point me to a reference I'm happy to update my PR, in hopefully a backwards-compatible way! |
|
The default configuration shipped with Debian Bookworm can be found here. The codename based matching used in these lines should work for a particular release independent from the archive it is presently in. The comments in the default configuration file provide quite detailed information on the available configuration options and some more information can be found in the README file. The |
|
aha, fantastic. My search-engine-fu wasn't up to scratch to find that. Yes porting to |
|
Something like that? {% if ansible_distribution == 'Debian' %}
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
// "origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
{% for origin in security_autoupdate_additional_origins %}
"{{ origin }}";
{% endfor %}
};
{% endif %}
{% if ansible_distribution == 'Ubuntu' %}
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
{% for origin in security_autoupdate_additional_origins %}
"{{ origin }}";
{% endfor %}
};
{% endif %} |
Currently, whilst Debian is advertised as supported, the
unattended-upgradesconfiguration doesn't actually install security updates, which could leave users with vulnerable servers, even though they've installed a package designed to install security updates automatically.This PR adds the Debian syntax for their security Origin, in a way which supports both Debian and Ubuntu-based distributions. Currently, it special-cases Debian, but I'm not opposed to special-casing both Debian and Ubuntu explicitly.
I would have gone through responsible-disclosure channels, as this has severe security ramifications with this change, however this is a very public issue already, but hasn't been resolved:
#126 is a great start, however the default configuration should still install security updates, as mentioned in the README.