On Wed, Jan 28, 2015 at 1:59 AM, Paul Wise <pabs@debian.org> wrote: > On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote: ... > You could install and configure the unattended-upgrades package > instead of using apticron. Please note that you still need to do > reboots after Linux kernel updates and relevant restart processes > after library upgrades. You can use needrestart (jessie and later) or > checkrestart (from debian-goodies) to find out which processes to > restart. ISTM, this libc6 update should have triggered a /var/run/reboot-required creation, but it didn't. (yeah, it's debatable, but for the average person, you probably want them to recognize a reboot is safest after a significant 'libc' security update -- else more savvy users can figure out to restart critical daemons if needed) Here's a script, 'apt-whatsup', i use for showing me what patches are outstanding (packages that are upgradeable and current and upgradeable versions). It operates similarly to 'aptitude's 'versions' argument, but in a more concise layout. It allows selection of security-only updates via a '-s' option. AFAICT, a *security* update is only a security update because of where it comes from (sources.list) by convention/decree. It's just the same as any other package (the package metadata does not contain anything identifying the package as a "security" update). So, my script may need some adjustment for your environment if your Debian-Security 'deb' source doesn't look like mine. Or, if you're using 'squeeze-lts', which is presumed to be 'security only' updates (Release file 'Label' field won't have "Security" in it), or if you have 3rd party security repos, or a multi-release (e.g. stable+testing)... In that case, you should probably re-architect to have an /etc/apt/source.list.d/security-updates.list that contains all your security repos which my script will use directly (if it exists), rather than trying to ascertain which sources are security sources and creating a temp sources.list. If anyone has more insight, let me know. # Get help # ./apt-whatsup -h apt-whatsup: apt-whatsup [ -d ] [ -n ] [ -s ] [ -k | {search-pattern} ] This program reports all the outstanding Debian Package Updates for this system. -d debug -k display kernel only updates pending -n don't do 'aptitude update' phase -s display security updates only {search-pattern} any apt-regex search pattern e.g. "cups", "^apache2$" # See what packages and versions (current/upgradeable) are in play for upgradeable packages # ./apt-whatsup Warning, no aptitude update performed, results may be inaccurate... apache2-mpm-worker 2.2.22-13+deb7u3 2.2.22-13+deb7u4 apache2-utils 2.2.22-13+deb7u3 2.2.22-13+deb7u4 apache2.2-bin 2.2.22-13+deb7u3 2.2.22-13+deb7u4 apache2.2-common 2.2.22-13+deb7u3 2.2.22-13+deb7u4 ... # How many upgradable packages are outstanding (use '-n' to avoid aptitude update, since # we already did that implicitly in the previous invocation) # ./apt-whatsup -n | wc -l Warning, no aptitude update performed, results may be inaccurate... 79 # How many upgradable packages are from security repos # ./apt-whatsup -s -n | wc -l Warning, no aptitude update performed, results may be inaccurate... 67 # see if we have a glibc/libc6 security update available # ./apt-whatsup -s -n '(glibc|libc6)' Warning, no aptitude update performed, results may be inaccurate... glibc-doc 2.13-38+deb7u6 2.13-38+deb7u7 libc6 2.13-38+deb7u6 2.13-38+deb7u7 libc6:i386 2.13-38+deb7u6 2.13-38+deb7u7 libc6-dev 2.13-38+deb7u6 2.13-38+deb7u7 libc6-i386 2.13-38+deb7u6 2.13-38+deb7u7 --stephen -- Stephen Dowdy - Systems Administrator - NCAR/RAL 303.497.2869 - sdowdy@ucar.edu - http://www.ral.ucar.edu/~sdowdy/
Attachment:
apt-whatsup.sh
Description: Bourne shell script