On 09/16/2014 06:33 AM, Richard Hughes
wrote:
I've triaged many bugs to do with online and offline
update failures, and if we're going to say that we actually care
about
the users data, it becomes increasingly hard to defend the "old"
way
of doing it. I'm sure I could find numerous bugs numbers where
doing
an online update made the session/terminal crash which of course
leaves you with duplicate packages on your system which may or may
not
be fixable.
Richard
OK, but this is means that we painted ourselves in the
corner---something is wrong if my Android phone, which I don't have
to reboot for updates, has higher uptime than my computer.
We are in a bind: on one hand, the best security practice is to
upgrade daily to avoid emerging vulnerabilities; on the other hand
daily reboots aren't really a nutritious alternative. Something has
to give---which one do we do:
- create a separate daily security upgrade stream, curated to not
require reboots if at all possible
- follow Microsoft and do a fixed 'patch Tuesday' schedule instead
of ASAP updates
- rewrite Linux or at least Gnome/DBus for safe updates :)