I know this is a bit late in the process but I think our scenario might add to the discussion.
We run a SAAS system for a large number of clients. Each client has their own VM instance.
Many of our clients run a 24 x 7 operation.
Many of our clients are also hypersensitive to any system changes.
The result is that we need to have complete control over when any upgrades happen to a system (including any third party snaps that our stack depends on).
We also need to apply upgrades (such as emergancy patches) to specific systems as and when needed.
So whilst I understand the inclination to ensure that all snaps are always up to date, taking the control out of system administrators hands seems to be a mistake.
I completely agree that the default snap install should auto update.
This handles the most common case where the user either doesn’t know or doesn’t want to manage updates.
The second scenario where you can schedule updates (say micro updates) each Tuesday is also nice.
But I have to be honest I don’t see any way around a global dead switch for environments like ours that need to tightly manage upgrades.
I’m happy if the switch is hard to turn on and not obvious, but if I need the control then the control should be mine.
We can’t possibly predict every possible way that snaps are going to be used and the requirements for upgrade paths, so rather than dictating how things are we should provide great defaults but allow experienced people to manage their systems how they see fit.