[dev] [cvs] [Wiki] changed: SecurityTips
Kevin M. Myer
kmmyer at gmail.com
Tue Oct 31 16:50:53 PST 2006
On 10/31/06, Ben Klang <ben at alkaloid.net> wrote:
> On Monday 30 October 2006 12:00, Wiki Guest wrote:
> > +It's perfectly safe to put this into your crontab to let PEAR upgrade
> > itself.
> While of course I would strongly agree that keeping PEAR up to date is a good
> idea, do we really want to advocate doing this from CRON? I recently had an
> outage due to an upgrade of the PEAR Mail package when it was released with a
> bug. I was able to respond to it quickly because I was updating after hours
> and of course testing as I went. Updating from CRON just feels inherently
> dangerous to me.
It just depends what kind of admin you are. For a production
environment, completely relying on automatic updates can be a scary
proposition, if you haven't tested things out before ahead of time in
a similar environment. I've never relied on Windows Automatic Update
on production servers (but have no problem letting it run on my home
laptop), for instance). Testing to make sure that a widget behaves as
expected is something that some people think isn't their
responsibility - but no developer can always anticipate what your
actual environment might be.
So all of that to say that I agree - autoupdate of core packages can
be a dangerous thing. Way the costs of an outage introduced by
autoupdate vs. the costs of having to manually update everything.
Kevin
More information about the dev
mailing list