English Spanish
Dnf in Fedora has the GPG key checking enabled by default. Assuming that you have imported the correct GPG keys, and still have `gpgcheck=1` in your `/etc/dnf/dnf.conf`, then we can at least assume that any automatically installed updates were not corrupted or modified from their original state. Using the GPG key checks, there is no way for an attacker to generate packages that your system will accept as valid (unless they have a copy of the *private* key corresponding to one you installed) and any data corruption during download would be caught.
[email]
# The address to send email messages from.
email_from = root@localhost.com
[emitters]
emit_via = email
Even the general rule above has exceptions, or can be worked around. Some issues might be resolved through a special setup on your part. For example, you could create your own DNF repository on a local server, and only put in tested or trusted updates. Then use the automatic updates from only your own repository. Such setups, while perhaps more difficult to set up and maintain, can remove a large amount of risk otherwise inherent in automatic updates.
However, the question would also apply to the question of update quality. Will the installation of the package cause problems on your system? This we can not answer. Each package goes through a QA process, and is assumed to be problem free. But, problems happen, and QA can not test all possible cases. It is always possible that any update may cause problems during or after installation.
If all the above apply to your machine(s), then automatic updates may be your best option to help secure your machine. If not all the above apply, then you will need to weigh the risks and decide for yourself if automatic updates are the best way to proceed.
If you decide to use automatic updates, you should at least do a few things to make sure you are up-to-date.
If you want to disable auter from running, including from any cron job:
Instead of automatic updates, dnf-automatic can only download new updates and can alert you via email of available updates which you could then install manually. This can be set by editing of `/etc/dnf/automatic.conf` file.
It provides a critical service that you don't want to risk having unscheduled downtime.
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to to send email messages.
email_host = localhost
Notifications
On a fresh install of Fedora 22 with default options, the dnf-automatic RPM is not installed. The first command below installs this RPM:
Once you are finished with the configuration, execute:
Other methods of protection
Reasons AGAINST using automatic updates
Reasons FOR using automatic updates
Run dnf-automatic
Scheduling updates