I recently got into a discussion regarding automatic installation of security updates. The system is used and managed by a small nonprofit organization—essentially one or two admins managing the system in their free time. They typically touch the box only if there are feature updates to be done, or if something is not working (which they typically discover by people complaining about it, as there is no monitoring).
Since there is a high risk of admins neglecting security updates, I suggested automating security updates (specifically installing only security updates, not other updates). Now somebody else claimed that no serious admin would ever configure automatic installation of software updates.
The possible reasons against automation that I can think of do not seem major issues to me:
- Spoofed update repository—updating manually makes this no less likely to happen, and with proper signature verification, this should be fairly hard to exploit.
- Updates breaking the system—security updates should for the most part maintain interface compatibility and would thus be drop-in replacements, hence this risk is adequately mitigated by limiting automatic installation to security updates.
- Data corruption because of updates on a running system: with proper packaging and installation routines, I would expect packages to take proper measures (e.g. shutting down a service before upgrading it and restarting it afterwards).
- Downtime: can be controlled by scheduling automated upgrades to take place during a designated maintenance window; apart from that, I consider it less of an issue in this particular case as usage of the system is low.
What is the general recommendation regarding automatic installation of security updates (considering the scenario of a system that gets admin attention on a sporadic basis only)? What are the risks caused by automatic installation of security updates?