gwestwood
commented
4 years ago The only time I've had issues with updates from Debian was as part of server upgrades so, unlike the occasional issues with Microsoft updates borking systems, I am happy for automatic updates to be on by default to reduce the admin tasks.
I think that most of the time, the services we provide could be protected better by turning on automatic updates, particularly if we reduce our footprint to three servers, with a scheduled reboot when required on Friday night for one server, and Saturday night for the next for critical services, and as-required for the "manage" host.
This becomes especially relevant if we use docker for all exposed web applications, as then dependencies on the web engines (apache2/php, nginx/php or whatever we're requested to provide - in time!) can be patched up-to-date by the docker containers, without putting the "main OS" at risk.