Re: Package management and security
You want to use a combination of these commands at different times:
apt-get -qq update # necessary, no email desired
apt-get -dy upgrade # download minor updates, do not install, send
email
apt-get -y upgrade # install minor updates, send email
apt-get -qqdy dist-upgrade # download major updates, do not install, no
email
apt-get -dy dist-upgrade # download major updates, do not install, send
email
apt-get -y dist-upgrade # install major updates, send email
This is what I do:
daily:
apt-get -qq update &&
apt-get -qqdy dist-upgrade &&
apt-get -dy upgrade
weekly:
apt-get -y upgrade &&
apt-get -dy dist-upgrade
monthly:
apt-get -y dist-upgrade
The daily cron job does not install anything and does not send email. It
just loads the cache with everything (-qqdy dist-upgrade) and sends email
about security updates (-dy upgrade).
The weekly job installs upgrades and sends email about what it did, and also
about which dist-upgrade packages it has downloaded (but not installed).
The montly job does a dist-upgrade (I'm ok with this) and sends email.
This approach is easy to tweak. What is important is that you can choose to
download and send email and *not* install; this gives you a notice about
what is available but requires you to manually log in and install them.
For an environment with more critical servers you would scale this back; use
apt-get dist-upgrade (no -y) or possibly even apt-get upgrade (no -y), which
will send you email but not install anything automatically.
~mark
Frédéric PICA wrote:
> Ok, so apt-get update/upgrade -y in a cron job will work but what
> about my first question ?
> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0
> updated to foo-1.0.1 for bugfix reason.
> Meanwhile the author of foo release version 2, debian stable will not
> upgrade the package because the version 2 add more features, have new
> dependencies, ...
> And now, the author release version 2.1, a critical security fix,
> there is a flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the
> security fix but that time it's not possible so they have no other
> choice to package version 2.1 in the security channel.
> As version 2.1 has new dependencies requirements wich are not
> installed, apt-get upgrade will not update that package, right ?
>
> Even if in 99% of the time, this will work great, I can't let this 1%.
> I could let this 1% risk only if I have a way to be warned, the server
> sending me automatically a mail for example, but I think there is no
> way to do that because there is no way to interface ourself with apt
> (no plugin system at that time)
>
> I am right ?
>
> FP
>
> 2007/6/7, Riku Valli <riku.valli@vallit.fi>:
>>
>> Frédéric PICA wrote:
>>> Thanks for your answer,
>>>
>>> So I need to do an apt-get dist-upgrade in my cron job to be sure to
>>> always have the latest security fixes ?
>>> What's the risk to have a needed package uninstalled by that way ?
>>>
>>> My goal is to have the latest security fixes for a server, but I
>>> have to be sure that dist-upgrade will not broke my server by
>>> removing needed pacakges, for example mod_php for apache or things
>>> like that.
>>>
>>> FP
>>>
>>> 2007/6/7, Riku Valli <riku.valli@vallit.fi
>>> <mailto:riku.valli@vallit.fi>>:
>>>
>>> Frédéric PICA wrote:
>>> > Greets,
>>> >
>>> > I saw in 'man apt-get' that using apt-get upgrade does not
>>> install new
>>> > packages or remove an already installed package.
>>> > Is it possible that I did'nt get the latest security fixes
>>> using > apt-get upgade in a cron job ?
>>> > I think particularly about security fixes that can't be retro-
>>> ported > to the debian stable version and needs to upgrade the
>>> package to the > latest author available version, what's going
>>> on if the package > dependencies changes ? Does the security
>>> patched will be installed > with it's new dependencies anyway
>>> or does the package will not be > upgraded ?
>>> >
>>> > Thanks for your help,
>>> > FP
>>> >
>>> >
>>> Hi
>>>
>>> apt-get upgrade only upgrade your packages for newer version.
>>> When package is upgraded this way at it need new extra
>>> packages, then upgrade
>>> can't upgrade your package. You must install it.
>>>
>>>
>>> -- Riku
>>>
>>>
>> Hi
>>
>> In normal case when you used Debian stable. You made only
>> update/upgrade and possible need switch -y (assume yes for every
>> question). At stable debencies normally never changes. This dist-
>> upgrade is (at stable) only used when you updated Debian releases
>> from older to newer.
>>
>> Older stable there was only one kernel upgrade which needed manually
>> intervention.
>>
>> Maybe this is better explained man aptitude, see below.
>>
>> upgrade
>> Upgrades installed packages to their most recent version.
>> Installed
>> packages will not be removed unless they are unused (see
>> the section "Managing Automatically Installed Packages"
>> in the aptitude
>> reference manual); packages which are not currently
>> installed will
>> not be installed.
>>
>> If a package cannot be upgraded without violating these
>> constraints, it will be kept at its current version. Use
>> the dist-upgrade command to upgrade these packages as
>> well.
>>
>> dist-upgrade
>> Upgrades installed packages to their most recent version,
>> removing
>> or installing packages as necessary. This command is less
>> conservative than upgrade and thus more likely to perform
>> unwanted actions. Users are advised to either use upgrade
>> instead or to carefully inspect the list of packages to be
>> installed and removed.
>>
>>
>> -- Riku
Reply to: