On Wed, Jan 28, 2015 at 1:59 AM, Paul Wise <pabs@debian.org> wrote:
> On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote:
...
> You could install and configure the unattended-upgrades package
> instead of using apticron. Please note that you still need to do
> reboots after Linux kernel updates and relevant restart processes
> after library upgrades. You can use needrestart (jessie and later) or
> checkrestart (from debian-goodies) to find out which processes to
> restart.
ISTM, this libc6 update should have triggered a
/var/run/reboot-required creation, but it didn't. (yeah, it's
debatable, but for the average person, you probably want them to
recognize a reboot is safest after a significant 'libc' security
update -- else more savvy users can figure out to restart critical
daemons if needed)
Here's a script, 'apt-whatsup', i use for showing me what patches are
outstanding (packages that are upgradeable and current and upgradeable
versions). It operates similarly to 'aptitude's 'versions' argument,
but in a more concise layout. It allows selection of security-only
updates via a '-s' option.
AFAICT, a *security* update is only a security update because of where
it comes from (sources.list) by convention/decree.
It's just the same as any other package (the package metadata does not
contain anything identifying the package as a "security" update).
So, my script may need some adjustment for your environment if your
Debian-Security 'deb' source doesn't look like mine. Or, if you're
using 'squeeze-lts', which is presumed to be 'security only' updates
(Release file 'Label' field won't have "Security" in it), or if you
have 3rd party security repos, or a multi-release (e.g.
stable+testing)... In that case, you should probably re-architect to
have an /etc/apt/source.list.d/security-updates.list that contains
all your security repos which my script will use directly (if it
exists), rather than trying to ascertain which sources are security
sources and creating a temp sources.list.
If anyone has more insight, let me know.
# Get help
# ./apt-whatsup -h
apt-whatsup:
apt-whatsup [ -d ] [ -n ] [ -s ] [ -k | {search-pattern} ]
This program reports all the outstanding Debian Package Updates
for this system.
-d debug
-k display kernel only updates pending
-n don't do 'aptitude update' phase
-s display security updates only
{search-pattern} any apt-regex search pattern
e.g. "cups", "^apache2$"
# See what packages and versions (current/upgradeable) are in play for
upgradeable packages
# ./apt-whatsup
Warning, no aptitude update performed, results may be inaccurate...
apache2-mpm-worker 2.2.22-13+deb7u3
2.2.22-13+deb7u4
apache2-utils 2.2.22-13+deb7u3
2.2.22-13+deb7u4
apache2.2-bin 2.2.22-13+deb7u3
2.2.22-13+deb7u4
apache2.2-common 2.2.22-13+deb7u3
2.2.22-13+deb7u4
...
# How many upgradable packages are outstanding (use '-n' to avoid
aptitude update, since
# we already did that implicitly in the previous invocation)
# ./apt-whatsup -n | wc -l
Warning, no aptitude update performed, results may be inaccurate...
79
# How many upgradable packages are from security repos
# ./apt-whatsup -s -n | wc -l
Warning, no aptitude update performed, results may be inaccurate...
67
# see if we have a glibc/libc6 security update available
# ./apt-whatsup -s -n '(glibc|libc6)'
Warning, no aptitude update performed, results may be inaccurate...
glibc-doc 2.13-38+deb7u6
2.13-38+deb7u7
libc6 2.13-38+deb7u6
2.13-38+deb7u7
libc6:i386 2.13-38+deb7u6
2.13-38+deb7u7
libc6-dev 2.13-38+deb7u6
2.13-38+deb7u7
libc6-i386 2.13-38+deb7u6
2.13-38+deb7u7
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy@ucar.edu - http://www.ral.ucar.edu/~sdowdy/