Is automating apt-get upgrade a security risk?

ErrorBound · 06-15-2006, 01:42 PM

Hi
I'm using Kubuntu Dapper, and have become quite tempted to write a scheduled script (say daily or weekly) to run these:

Code:

apt-get autoclean
apt-get update
apt-get -y dist-upgrade

After looking this up, I have generally read that this can be a security risk because you are blindly installing things. Shouldn't it be alright since all it's doing is upgrading packages that I already have? What am I missing by automating it?

It seems to me that this would be a problem if I did not trust the repositories in my sources.list, but this is not really a concern, as I'm only using the regular Ubuntu + universe/multiverse repositories.

brianthegreat · 06-15-2006, 02:04 PM

Its really not much of a problem because Dapper already does this for security upgrades. Daily would keep you more security considering possible missed updates. Weekly just seems a little too long.

unSpawn · 06-15-2006, 02:41 PM

I have generally read that this can be a security risk because you are blindly installing things.
Looking at repo's the only thing that could happen is poisoning, but any (decent) package manager should use signature verification to check package integrity, besides that repo's get checked too (or so I would hope). Looking at the local situation then, except for the poisoning scenario, there's no security risk for home boxen I can see.

ErrorBound · 06-15-2006, 04:31 PM

If this script is simply placed in the /etc/cron.daily directory, will it run with sufficient privileges to run apt? Normally I have to run apt as root or using sudo.