Hi Moritz, Moritz Mühlenhoff <jmm@inutil.org> (2018-05-27): > Sorry for the late reply, busy and backlogged in my inbox. No worries, I know the feeling; and thanks for the detailed answer! Replying only briefly (for similar reasons): > u-u is also very rudimentary. It doesn't support service restarts > e.g., so installing an openssl update is pretty pointless as it > doesn't even attempt to warn/act on library restarts. > > It's also very brittle, only a few days ago I had to fix a stretch > system where it uninstalled virtually all KDE packages after > installing the VLC update (which installed a new version of libvlccore > and all went kaboom). > > All this crap falls back to the security team, because people think > our update broke the system. Or stuff like > https://lists.debian.org/debian-security/2018/05/msg00011.html > > u-u breaks stuff (and would even more so if installed by default on > servers, where it will cause unpredictable server downtimes during > restarts etc.) and Debian should not be broken by default. > > If userse make a concious decision to accept the consequences of > unattended-upgrades, then they can install it explicitly and have to > deal with the fallout, but it must not be part of a default > installation. > > If this had been proposed to team@security.debian.org before making > the change we would have objected immediately as we are the ones > primarily affected. We can't sensibly follow all the > discussions/developments made in Debian, it's far too big. (And being > in the security team is already so time-demanding that it leaves > little for other Debian work anyway). Sorry about the fallouts. I can't say for sure but ISTR I only found out about this change when preparing a release announcement, even if there were prior discussions in other channels (debian-devel@). The security team should have been looped in, and I'm sorry I didn't think of it at the time, even after the fact (= right after a D-I Alpha was published). debian-boot@: the requested revert looks fine to me, bonus points if it comes with a (short) summary of these reasons in changelog, so that they can be emphasized in the release announcement. :) Thanks to everyone involved. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature