Regarding orbit: I understand it uses TUF which sounds good. However until we've looked at the update process in detail, I'd like remove one upstream dependency by not having it auto-update (we might run our own update server later). How would I go about disabling the auto-udpate? Is passing

--disable-updates

sufficient? Will that still allow me to push things like changes to the flags using fleet?

Hi Tilman. After some requests from the community we added the

--disable-updates

option. With that flag set during the package generation, Orbit won't run any auto-update routines (so it won't reach out to a TUF at all).

Will that still allow me to push things like changes to the flags using fleet?

Yes, that continues to be the same.

--disable-updates

just disables auto-updates of Orbit+osquery via a TUF server.

Ah so I must pass it to

fleetctl package

? Or could I also pass that parameter to the orbit binary itself? e.g. by deploying a modified systemd file on linux?

Ah yes, you can pass the same flag to Orbit itself too.

Perfect. That be sufficient to reduce some of the backlash I might be getting

Indeed. The other alternative is using the Premium feature in Fleet to set up and have fleetctl/orbit point to a user-owned TUF server.

Yup. We already bought al license to have teams, but I simply don't have the time to roll my own udpate server now