[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package management and security

Frédéric PICA wrote:
Thanks for your answer,

So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ?
What's the risk to have a needed package uninstalled by that way ?

My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that.


2007/6/7, Riku Valli <riku.valli@vallit.fi <mailto:riku.valli@vallit.fi>>:

    Frédéric PICA wrote:
    > Greets,
    > I saw in 'man apt-get' that using apt-get upgrade does not
    install new
    > packages or remove an already installed package.
    > Is it possible that I did'nt get the latest security fixes using
    > apt-get upgade in a cron job ?
    > I think particularly about security fixes that can't be retro-ported
    > to the debian stable version and needs to upgrade the package to the
    > latest author available version, what's going on if the package
    > dependencies changes ? Does the security patched will be installed
    > with it's new dependencies anyway or does the package will not be
    > upgraded ?
    > Thanks for your help,
    > FP

    apt-get upgrade only upgrade your packages for newer version. When
    package is upgraded this way at it need new extra packages, then
    can't upgrade your package. You must install it.

    -- Riku


In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer.

Older stable there was only one kernel upgrade which needed manually intervention.

Maybe this is better explained man aptitude, see below.

Upgrades installed packages to their most recent version. Installed
          packages will not be removed unless they are unused (see the
section "Managing Automatically Installed Packages" in the aptitude reference manual); packages which are not currently installed will
          not be installed.

          If a package cannot be upgraded without violating these
          constraints, it will be kept at its current version. Use the
          dist-upgrade command to upgrade these packages as well.

Upgrades installed packages to their most recent version, removing
          or installing packages as necessary. This command is less
          conservative than upgrade and thus more likely to perform
          unwanted actions. Users are advised to either use upgrade
          instead or to carefully inspect the list of packages to be
          installed and removed.

-- Riku

Reply to: