Comment 7 for bug 831487

Now that unattended-upgrades defaults to installing security updates in Xenial, I think this needs more attention. In mitigation, one can disable unattended-upgrades without removing the package (dpkg-reconfigure may work, but certainly hitting the files in /etc/apt/apt.conf.d will) but I understand that one can get more confidence by just purging a package that provides unwanted functionality.

Unless there's a good reason that unattended-upgrades must be a dependency. Can it be a Recommends instead, or perhaps be seeded as a Recommends directly?