Regarding orbit I understand it uses TUF which sounds good H

Question

Regarding orbit I understand it uses TUF which sounds good However until we ve looked at the update process in detail I d like remove one upstream dependency by not having it auto update we might run our own update server later How would I go about disabling the auto udpate Is passing ` disable updates` sufficient Will that still allow me to push things like changes to the flags using fleet

Lucas Rodriguez · Answer

Hi Tilman After some requests from the community we added the ` disable updates` option With that flag set during the package generation Orbit won t run any auto update routines so it won t reach out to a TUF at all gt Will that still allow me to push things like changes to the flags using fleet Yes that continues to be the same ` disable updates` just disables auto updates of Orbit+osquery via a TUF server

Tilman Bender · Answer

Ah so I must pass it to `fleetctl package` Or could I also pass that parameter to the orbit binary itself e g by deploying a modified systemd file on linux

Lucas Rodriguez · Answer

Ah yes you can pass the same flag to Orbit itself too

Tilman Bender · Answer

Perfect That be sufficient to reduce some of the backlash I might be getting

Tilman Bender · Answer

currently looking into ansible task to deploy internally

Tilman Bender · Answer

Tell a bunch of security folk you want to install a service that s running as root and auto updating from an external source and you can expect some serous backlash smile

Lucas Rodriguez · Answer

Indeed The other alternative is using the Premium feature in Fleet to set up and have fleetctl orbit point to a user owned TUF server

Tilman Bender · Answer

Yup We already bought al license to have teams but I simply don t have the time to roll my own udpate server now

Tilman Bender · Answer

Also we ll first have a look at TUF maybe it passes msuter with an external update server