Hello
I finally took the step from V3 to V4 and thanks to Node-red I recreated all my scenarios.
My question is about updating Gladys on my raspberry with the Gladys raspberry image.
So when a new update is sent, it is automatically downloaded and then installed by Gladys, but does this include the packages corrected by Debian and then taken over by Raspi OS to fix security vulnerabilities?
In doubt, I always do
sudo apt update
and sudo apt upgrade
I also changed the SSH password to avoid ending up with a zombie raspberry pi.
As I didn’t find an answer in the documentation, that’s why I’m asking the question.
Thanks
with each new version, Gladys and its dependencies are updated
Gladys runs in Docker, so this only applies to the container and not to the Raspberry Pi OS, which is not automatically updated
However, if you haven’t tampered with your operator’s box, your Raspberry Pi is not exposed to the internet. So, no one is supposed to be able to connect to it via SSH outside your local network.
After that, it’s still a good idea to have changed the default password
In summary, Gladys is updated but not the Raspberry Pi system, and this represents a risk that remains low as it is not directly exposed to the internet.
The Raspberry Pi OS image provided applies the maximum security best practices
As mentioned by @lmilcent in the Docker Gladys container, with each deployment of a new version, Gladys is redeployed with a fresh container based on a fully up-to-date system, and all dependencies are updated when security vulnerabilities are reported.
However, this is not entirely true!
We use the « unattended-upgrade » package at the system image level, which runs every night to automatically update system packages that have security vulnerabilities and can be patched without a reboot, and only those to avoid breaking the system.
The only thing this package does not do is in case of a critical vulnerability at the kernel level, it is impossible to apply the patch without a reboot. On the Gladys side, we cannot decide when to perform the reboot because home automation is a critical program. If you use Gladys as an alarm and Gladys starts rebooting at the moment you are being burglarized at night, that’s not ideal!
However, Linux kernel vulnerabilities are rarer, generally we hear about them and we can communicate with the community and say that you need to reboot your system.
Perhaps add an additional parameter in « Operations » that would propose by default to automatically reboot 24 hours or more after a kernel update, so the user would be informed by the team that an update is necessary and can at their discretion perform the reboot themselves within a given time frame or let Gladys handle the reboot!
