Update docs to include instructions for unattended-upgrades

Starting with Ubuntu 20.04, we plan on using unattended-upgrades instead of cron-apt.
freedomofpress · Feb 15, 2021 · fba36b5 · fba36b5
1 parent ddc02aa
commit fba36b5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 15 deletions.
diff --git a/docs/admin.rst b/docs/admin.rst
@@ -413,23 +413,42 @@ for how to enable error logging for the *Source Interface*.
 Immediately Apply a SecureDrop Update
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-SecureDrop will update and reboot once per day. However, if after a SecureDrop
-update `is announced`_ you wish to fetch the update immediately, you can SSH
-into each server (via ``ssh app`` and ``ssh mon``) and run:
-
-.. code:: sh
-
-  sudo cron-apt -i -s
-
-Depending on the nature of the update (e.g., if the ``tor`` package is upgraded
-and you are using SSH-over-Tor), your SSH connection may be interrupted, and you
+SecureDrop will update and reboot once per day. However, once a SecureDrop
+update `is announced`_ , you can opt to fetch the update immediately. Depending
+on the nature of the update (e.g., if the ``tor`` package is upgraded and you are
+using SSH-over-Tor), your SSH connection may be interrupted, and you
 may have to reconnect to see the full output.
 
 .. important::
 
    Except where otherwise indicated, make sure to update both your
    *Application Server* and your *Monitor Server*.
 
+
+To update your servers immediately, you can SSH
+into each server (via ``ssh app`` and ``ssh mon``) and run the following command,
+noting the value of ``VERSION_CODENAME``:
+
+.. code:: sh
+
+  cat /etc/os-release
+
+VERSION_CODENAME is "Focal"
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code:: sh
+
+  sudo unattended-upgrades
+
+
+VERSION_CODENAME is "Xenial"
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code:: sh
+
+  sudo cron-apt -i -s
+
+
 .. _`is announced`:
   https://securedrop.org/news
 

diff --git a/docs/servers.rst b/docs/servers.rst
@@ -236,9 +236,8 @@ Disk Encryption
 If the servers are ever powered down, FDE will ensure all of the
 information on them stays private in case they are seized or stolen.
 
-.. warning:: The Ansible playbooks for SecureDrop will enable nightly reboots
-             after the ``cron-apt`` task runs for automatic updates. Using FDE
-             would therefore require manual intervention every morning.
+.. warning:: The Ansible playbooks for SecureDrop will enable nightly reboots.
+             Using FDE would therefore require manual intervention every morning.
              Consequently **we strongly discourage the use of FDE.**
 
 While FDE can be useful in some cases, we currently do not recommend
@@ -282,8 +281,8 @@ subsequent SecureDrop installation will include a task that handles
 regular software updates.
 
 .. note:: The Ansible playbooks for SecureDrop will configure automatic
-          updates via ``cron-apt``. As part of the automatic update process,
-          the servers will reboot nightly. See the
+          updates via ``unattended-upgrades``. As part of the automatic update
+          process, the servers will reboot nightly. See the
           :ref:`OSSEC guide <AnalyzingAlerts>` for example notifications
           generated by the reboots.