[tor-relays] fixing unattended-upgrades' config

Pascal Terjan pterjan at gmail.com
Sat Jul 7 20:29:01 UTC 2018


 On 7 July 2018 at 20:02, nusenu <nusenu-lists at riseup.net> wrote:
>
>>> maybe it would be a good idea to switch to unattended-upgrades?
>>
>> I have never managed to get it to work :(
>> I have set it up on several machines and nothing ever got upgraded
>> whatever the config I set.
>> After spending too much time trying to get it to work I decided to use
>> my own script
>
> we added documentation for unattended-upgrades to the tor relay guide,
> I hope this is helpful for you:
>
> https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/DebianUbuntuUpdates
>
> maybe give it a try and let us know if it doesn't work for you?

Just a note that most of my relays are currently Ubuntu (16.04), one
is Debian and others are not Debian based

I noticed one of my relays still had  0.3.1.9 and it seems to be a
16.04 where I forgot to add my script so that's a good place to see
what happens.

The syntax of the expected config seems to be different from that
documentation, I believe the one I had was the default with the tor
line added:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESM:${distro_codename}";
        "TorProject:${distro_codename}";
};

It seems there were 2 reasons why I was getting nothing updated:

1/ "${distro_id}:${distro_codename}-security" was wrong as security
updates are in "${distro_id}:${distro_codename}-updates", not
-security;
    For example if I understand
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.6/+publishinghistory
correctly it was first published in -security then moved to -updates
2/ tor gets blacklisted because "Package 'tor' has conffile prompt and
needs to be upgraded manually"


More information about the tor-relays mailing list