Subiquity should install security updates before first login

Do you think it is important to be able to install security updates specifically vs just installing all updates?

I think it's important to install security updates at a minimum, but I don't see any reason not to install them all, besides the time it would take to do so.

Hi Marc, do you happen to know how to install security updates only via apt?

Two methods come to mind:

- Writing an apt sources.list that omits the -updates pocket
- Writing apt pinning rules that omits the -updates pocket.

I would prefer we install all updates, unless the user has explicitly requested only the -security pocket:

- Updates from -updates may be very important but not involve a security boundary.

- Doing a simple apt update && apt upgrade with the configured sources would be easier than trying to modify the sources or add and remove pinning without disrupting any pinning the user may have selected.

Thanks

Certainly just installing all updates would be easier (very easy in fact). Maybe we should just do that.

On Thu, Apr 4, 2019 at 9:06 PM Seth Arnold <email address hidden>
wrote:

> Two methods come to mind:
>
> - Writing an apt sources.list that omits the -updates pocket
> - Writing apt pinning rules that omits the -updates pocket.
>
> I would prefer we install all updates, unless the user has explicitly
> requested only the -security pocket:
>
> - Updates from -updates may be very important but not involve a security
> boundary.
>
> - Doing a simple apt update && apt upgrade with the configured sources
> would be easier than trying to modify the sources or add and remove
> pinning without disrupting any pinning the user may have selected.
>

This is something that is pretty easy to do with curtin config:

system_upgrade:
  enabled: true

However, on older releases, this does impact install time.

>
> Thanks
>
> --
> You received this bug notification because you are subscribed to
> subiquity.
> Matching subscriptions: subiquity-bugs
> https://bugs.launchpad.net/bugs/1817049
>
> Title:
> Subiquity should install security updates before first login
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/subiquity/+bug/1817049/+subscriptions
>

I would prefer simply installing all updates also.

We discussed this on a Foundations internal call this afternoon, and several counterarguments came up:

 - this is inconsistent with how other Ubuntu installers work today (e.g. ubiquity doesn't do this)
 - the point at which security updates can be installed is very late in the installation process, so installing updates before reboot is very likely to increase the time it takes to install a system
 - curtin already has to apt install the kernel, and should prefer the one from the security pocket if network updates are possible, so the 99% case for reboot-requiring security updates is already handled for subiquity installs without additional changes here
 - we don't have a clear idea of what's "expected" (do we want no updates? only security updates? all updates?) and we don't want to just punt the question to the user by making them answer this question as part of the install.

I think one thing it is reasonable to do is start the background downloading of the security updates once the rootfs is configured ('systemctl start apt-daily.service'). Maybe we should also consider special-casing apt-daily-upgrade.service on first boot so that it runs immediately instead of waiting until 6am. But I think the justification for enforcing that security updates are applied specifically before first login is weak; if there were security bugs so grave that we are worried about the user launching an insecure browser (the example given), we should equally be worried about this insecure browser being shipped in the live images (both desktop and server).

Today, ubiquity has the "Download updates while installing Ubuntu" option during installation, which will then be installed automatically after the first reboot. This bug was filed to obtain a similar feature.

Thanks, Marc. I think there are some doubts about what the ubiquity option actually does today or what it's supposed to do. I think we can at least commit to "install immediately after first reboot", and probably opportunistically download/install while waiting for the user to click the 'reboot' button.

https://github.com/CanonicalLtd/subiquity/pull/451 has an implementation (and asciinema video) of opportunistically downloading/installing updates.