[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to update



On Thu, Oct 25, 2012 at 2:41 PM, Edwin Zarthrusz <zarthrusz@yahoo.co.uk> wrote:
> Can you send me a straight-forward list of commands for updating and applying any necessary security patches and such on my install? And is there a way of getting it to update automatically?

Hi Ed,

In addition to all of the other correspondents, I have to add that I
generally don't let it automatically update. I have a small (15-20
hosts) network at home, and a larger one (250-300 hosts) at work. I
never automatically update because every now and again, things can get
broken, like APIs/ABIs. This is primarily when running testing or
unstable (which I do on most of my machines). Automatically updating
can leave you scrambling to get everything fixed. (Remember, MS forces
auto-updates, and you can see how well that works out for them...:) )

What I do is similar to what Glenn suggested. Each of my hosts sends
apticron updates to my email, and every day, I run through the list
and see if I need to update. I check for a) applications affecting the
purpose of the server, e.g. php or mediawiki or apache on my wiki,
ruby or puppet on my puppetmaster, etc.; b) Urgency of the update.
About 8 months ago, there was a kerberos patch that was listed as
"Emergency". I upgraded as quickly as I could. I also peruse the
changes for the packages listed for upgrade. I'm more likely to
upgrade if packages say "Apply security patch for..." than for ones
that say "new upstream release" unless I need some piece of
functionality.

The final point is that you should get more hands on with your
security if you are that concerned with it. Here are a few approaches
that I suggest:

* Only run services that you really need. If you're not using an app,
either turn it off or deinstall it.
* Run a firewall to keep all services from being exposed to the internet.
* Run tools like nmap and nessus (the free version) or openvas against
your machine in addition to patching what others think you need to
patch.
* Keep good backups.
* Read the Debian security list (http://www.debian.org/security/).
* Get familiar with your machine and how it normally behaves. That
way, if something does go awry, you have that familiarity, which may
allow you to find a problem in days or hours instead of weeks or
months.

Not only will this help you secure your machine, it can develop into
marketable skills.

Regards,
--b


Reply to: