[Whonix-devel] [qubes-devel] Why gets unattended-upgrades installed after Debian jessie -> Debian stretch upgrade?

Unman unman at thirdeyesecurity.org
Thu Feb 9 03:45:05 CET 2017

On Tue, Feb 07, 2017 at 06:21:30PM -0500, Chris Laprise wrote:
> On 02/06/2017 09:25 PM, Unman wrote:
> >On Mon, Feb 06, 2017 at 01:19:00PM +0000, Patrick Schleizer wrote:
> >>The unattended-upgrades was not installed on my Debian jessie system.
> >>After upgrading to Debian stretch, the package unattended-upgrades got
> >>installed. 'reverse-depends unattended-upgrades' [1] did not make me any
> >>wiser. There must be a gap of my apt knowledge. Can anyone shed light on
> >>this please?
> >>
> >>Best regards,
> >>Patrick
> >>
> >>[1]
> >>Reverse-Recommends
> >>==================
> >>* education-common
> >>* python3-software-properties
> >>
> >>Reverse-Depends
> >>===============
> >>* parl-desktop
> >>* plinth
> >>
> >>Packages without architectures listed are reverse-dependencies in:
> >>amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64,
> >>kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x
> >>
> >I remember a thread last year saying that unattended-upgrades should be
> >installed by default, and enabled. I guess that is what you're seeing
> >here Patrick.
> >This was on debian-devel - I thought it related to d-i but it may be
> >brought in as default package on dist-upgrade.
> >
> >have a look here:
> >https://lists.debian.org/debian-devel/2016/11/msg00262.html
> >
> Unfortunately it clashes with template usage patterns... and probably not
> great for template-based VMs either.
> Automatic updates would be better initiated from dom0, since the templates
> don't run on a regular basis and there are VM maintenance issues as well.
> Chris

See my later email on this - it's a package that users have chosen to
install, because it's pulled in as a recommend. It's not currently
installed and enabled by default in Stretch.

I'm not sure if it does clash with Template usage - if you can start the
Template and have it automatically pull in security fixes that may
become part of standard usage.
What's certainly true is that it would be disastrous in a
TemplateBasedVM, (and pointless). 

But that's a generic problem with any Debian based system now, that many
services start automatically once installed. We don't have a sensible
way of controlling this in Qubes at the moment, although there is a long
standing issue on this.

More information about the Whonix-devel mailing list