1

I am migrating from Gentoo to Ubuntu and today, I learned the hard way that Ubuntu has mechanisms, such as unattended-upgrades, that can install software that I don't want on my system (in my case, it replaced my working firefox from the mozillateam-ppa with a dysfunctional snap-based version).

This can be, to put it mildly, frustrating and, indeed, I consider replacing my software without my consent 'nefarious'. Moreover, the service has other downsides as well (think about being connected to a metered hotspot for example, or not being able to shutdown when in a rush).

I have now removed unattended-upgrades from my system but I still wanted to ask two things:

  1. are there more mechanisms in Ubuntu that could lead to silently (that is, without me explicity agreeing to it) changing my software- or configuration-setup.
  2. I suspect unattended-upgrades is explained in some handbook somewhere, so I should probably have read the Ubuntu manual, but wouldn't it be desirable to obtain the users consent to automatic updates during the installation?
igel
  • 167
  • 1
    Ubuntu can also automatically update software installed as snap – Archisman Panigrahi Nov 17 '23 at 16:02
  • Note that if you don't want snapped Firefox, you need to do some settings in apt to force your PPA to have higher priority than the version of firefox in the repos which is a metapackage that installs the Snap version. That's not nefariousness, that's because Mozilla requested that preference/change – Thomas Ward Nov 17 '23 at 17:53

2 Answers2

1

Ubuntu is designed for new and unskilled users who want a complete, feature-rich environment with sane defaults and automatic security updates.

As a Gentoo user, you're not that target user: You are skilled and experienced. For you, it might be a matter of cultural difference and minor technical differences. Let's not assume that minor technical differences equal nefarious intent.

In your particular case, you chose a minority path (Firefox Deb), and were surprised by a majority convenience (migrated to Firefox Snap). Surprise is understandable, but not nefarious. It's a change that is easily (and permanently) reverted by the minority of users who wish to stick to the deb.

You got a result from a complex system that differed from your expectation. That's not secret-cabal stuff. That's just what happens occasionally in any complex system.

Are there more mechanisms in Ubuntu that could lead to silently (that is, without me explicity agreeing to it) changing my software- or configuration-setup.

Sure. Lots of them.

Any apt install, removal, source change, or upgrade has that potential. If you use other packaging methods or manual installs, those might offer surprises too.

However, such configuration changes are considered rude and outside Debian guidelines, and thus bugs when they are caused by a deb....

...except, of course, for the pain point you encountered. When Mozilla migrated from Deb to Snap, the choices were to help millions of users migrate, or to leave users to figure it out on their own. Ubuntu developers, after much public discussion, chose the former in keeping with the philosophy of safe-and-sane defaults, and it was very successful. Most users migrated from an Ubuntu-supported deb-provided safe-and-secure browser to a Mozilla-supported snap-provided safe-and-secure browser without a hiccup. Sorry that current left you unexpectedly on a shoal.

I suspect unattended-upgrades is explained in some handbook somewhere, so I should probably have read the Ubuntu manual, but wouldn't it be desirable to obtain the users consent to automatic updates during the installation?

There's very little to explain.

There's nothing special about Unattended Upgrades. It simply runs apt in pretty much the same way that you would apt-update/apt-upgrade manually...but with a few sane defaults baked in as guardrails. (Example: The default setting includes only the -security repo. Not -updates, not -backports).

It's active by default because that's what the vast majority of users want: Automatic security updates that they don't need to review, they don't need to configure, they don't need to tweak or faddle with.

You don't want it? Great. You discovered that it can be turned off or removed. Now Ubuntu won't automatically download and install security updates anymore.

It doesn't matter whether a deb package upgrade is triggered manually (apt update/apt upgrade) or by Unattended Upgrades or by any other package manager frontend. The outcome will be identical in each case...with the limited exception that Unattended Upgrades, with fewer sources, will tell apt to upgrade fewer packages.

  • You mentioned metered connections. If you mark a connection in Network Manager as "metered", unattended upgrades won't use it. Nor will Snap refreshes. Both will wait until an unmetered connection becomes available.
user535733
  • 62,253
  • Thanks for the extensive answer and your continued patience with me :) You're saying "Now Ubuntu won't automatically download and install security updates anymore" and I suspect you mean "... via unattended-upgrades". I'm not too concerned with apt-installs or manual-installs since I specifically ask for them. An apt-install gives me a list of software it will install and I manually agree to it being installed via a "[Y/n]"-promt, so this doesn't qualify as "silent". Do I read this correctly that unattended-upgrades is, in this sense, the only method to silently install software? – igel Nov 18 '23 at 17:45
  • Not in the broad sense that you are asking: UU cannot be used to select and install new deb packages. It can only upgrade packages that are already installed. And the default setting is security upgrades only. – user535733 Nov 18 '23 at 18:39
  • In your specific case, the proximate cause if your Snap migration was the install script inside the upgraded deb package that you already had installed. Doesn't matter whether the upgrade was triggered by UU or apt or Synaptic or Update Manager. The result would have been the same if you were sitting at the keyboard. – user535733 Nov 18 '23 at 18:40
  • "I suspect you mean '... via unattended-upgrades'. " To be clear: You still get deb package security upgrades whenever you trigger a manual apt upgrade. You now get zero automatic deb package security updates until you restore UU or build your own alternative. Removing UU removed automatic deb package security updates. That's what it does. – user535733 Nov 18 '23 at 18:46
  • "whenever you trigger a manual apt upgrade" - as I said, I'm not concerned about those since apt tells me that it's going to do it, before it actually does it, so that's cool with me.

    "You now get zero automatic deb package security updates until you restore UU or build your own alternative." - I was hoping for zero automatic updates, period. But I suppose you wanted to account for automatic Snap updates, as mentioned in the answer, so I guess I'll settle for this one (I already removed snap from the system, so that's also okay with me).

     – igel Nov 20 '23 at 10:11
  • I do want to remark that I still cannot wrap my head around some of the decisions around UU. Why is there no opt-out during OS-install? Why no pop-up window like "there are security updates, is this a convenient time to install them?" by UU? I've seen such windows on other distributions, even with a button "don't tell me this in the future", just.... anything that doesn't leave the user completely in the dark about UU would be nice. I suppose I should make a feature request on launchpad for that... – igel Nov 20 '23 at 10:21
0

using the Software & updates tool you can set you update policies enter image description here

machs
  • 11
  • is this just a gui to configure unattended upgrades or is it something else entirely? – igel Nov 17 '23 at 16:21