DNF automation bot

Do I really trust Fedora to apply automated updates?

Short answer: Yes, dnf-automatic works great. Except when external repositories are involved.

Earlier today, I wrote about how you can configure Fedora to download and install updates automatically. Avid readers of my blog may recall some of my earlier writings on auto-updates including The constant software update tyranny and The software update experience sucks! These articles were primarily about Windows, and the gist of those articles were that software updates mustn’t get in the way of letting the user get their things done with forced automated updates and interruptive dialogs.

Automated updates in Fedora just does its thing in the background without getting in your way – up until a point. Occasionally, you do need to reboot the system to apply an update, but it’s not done automatically. The user stays in control of their system and can reboot at their leisure. The package management system, DNF, can be configured to notify the user of updates through the systemd journal, email, or a custom command to trigger a notification up pending or completed updates.

If you reboot your PC or server running Fedora once a week, you only need to worry about the end-of-life for the release – which is about every two years. As long as you stick with using the Fedora repository only, you shouldn’t have any problems with automated updates.

That last caveat can be a real problem for Workstation deployments that rely on proprietary firmware blobs. Proprietary firmware blobs are generally a problem in themselves, but in the Fedora ecosystem they’re more of a problem than say Ubuntu because the Fedora repositories don’t include any proprietary blobs out of principle. Users have to turn to third-party repositories like the popular RPM Fusion repositories for device drivers.

In my own experience, Fewer and fewer devices rely on proprietary drivers. However, my main PC relies on the [a]kmod-nvidia graphics card driver and although I’ve replaced the Broadcom chip in my primary laptop; I can’t do the same with the Broadcom chip in my non-serviceable MacBook. I believe the broadcom-wl wireless network driver has been the most troublesome package I’ve ever installed on any system, and it causes issues working every few months or so.

The problem with third-party repositories, and especially when used for hardware support, is that they quickly become out of sync with the Linux kernel version available in the main Fedora repositories. Firmware drivers, often implemented as kernel modules, often rely on specific versions of the Kernel to function, and external repositories are not part of the testing and release cycles of Fedora. They also can’t magically produce newer versions of proprietary blobs once these stops working with the kernel version that Fedora ships. To make things worse, external repositories are often maintained by small teams with limited abilities to respond quickly to new kernel releases.

RPM Fusion has a sort-of-solution to this problem called akmods. Akomds are kernel modules that will attempt to automatically rebuild themselves after an updated kernel has been installed and booted. The rebuild process is done on the first boot-up with a new Kernel, and can take significant time even on a high performance modern desktop PC. Unfortunately, these kernel module rebuilds don’t always work – or will conflict with automatically installed open source drivers pushed from the main Fedora repository. Which means you end up with a system without working devices after an upgrade.

Now, none of the above is really the fault of DNF automatic. However, its reason to be a bit conservative regarding automatically applying updates to a system that relies on proprietary firmware blobs.

You may also see version conflicts when the main Fedora repository updates a package that a piece of software that you’ve installed from a third-party repository has marked as a dependency.

For my own purposes, I’ve turned on automatic downloads on every machine. Priming the cache means I spend less human-time on updates. This is a no-brainier unless you’re in a bandwidth constrained environment — for which DNF also provides solutions that can be combined with automatic updates.

I’ve also turned on automatic installation of all updates on some of the servers I manage. I’ve enabled automated installation security updates all my other PCs. The only exception is my MacBook which depends on the Broadcom firmware for networking. A laptop is pretty useless to me without wireless networking, and the Broadcom driver has failed quite often on me after system updates. I like to only update this machine in a controlled environment.

I’ll update this post in the future if I run into any serious problems with automated updates in Fedora.