Automatic security updates after first image flash

Tristan107 · May 24, 2017, 2:27pm

Are there any automatic security updates after first image flash ?

imrehg · May 24, 2017, 2:39pm

Hey, there are no automatic updates yet, but as the resin Host OS update story is developing (1.x->2.x, and 2.x->2.x updates, besides the current 1.x->1.x updates that work already), we are planning to develop automatic update capabilities (besides the current on-demand ones). It has a lot of corner-cases, so it will still take some time. In the meantime the hostOS is very minimal and should be generally well locked down, but better safe than sorry…

Which resinOS versions and hardware do you have yourself deployed?

What do you think, how would an automatic update service would look to you (on a high level), that you’d imagine to work for you?

Tristan107 · May 24, 2017, 3:23pm

Just a really simple daily cron task auto installing all packages published on “security” packages list.

imrehg · May 24, 2017, 3:50pm

That’s within your user application or the hostOS?
Because the hostOS from resinOS 2.0 is read-only, any updates are updating the entire system. Also, most users would not want the underlying system changing in ways that were not tested (as it would be with a setup as you seem to imply).

Any security packages lists that you are following yourself?

We are actually working on something that could be helpful for this, but not quite there yet. Interesting to gather more use cases, to make sure we build something that is widely useful.

Tristan107 · May 24, 2017, 6:03pm

I’m only talking about the hostOS because I guess anyone can deal with what happens in docker containers.

I’m not a sysadmin so I’m only telling you about things I’ve read :

This is for Debian/Ubuntu but as far as I can read, there is no separate security repository for raspbian which invalidates the good practices u can have on servers.

imrehg · May 24, 2017, 7:40pm

Yeah, for user/server distros it makes complete sense to have such update! In resinOS’s case it feels less relevant. The host OS here is a custom distro, with hand-picked packages/components, and very much cut down surface area. And as mentioned, most devices on resin.io are such that “do not touch - unless explicitly requested”.

Thinking about it, the most likely current approach is getting to the point when 1) any device can be remotely updated in a self-service way, 2) have the ability to communicate to all users that might be affected when something hits the fan.

Good feedback, though, definitely adding automatic updates to our list to consider, and follow up on it.