Keep your Debian system up-to-date

One of the first rules in security is to keep your servers always updated to the latest security patches. Debian provides a wonderful and very easy mechanism to do this. There have been many questions if it is best to update automatically or manually. Here are my 2 cents on this issue:

In case you are using (as me) the testing branch of debian on live servers:

  • if you are managing a single server then you are probably best to update automatically. Why? Because even if there is a problem with an update you will not have the chance to see this on another running server and fix this (either ignore the update, or fix the problem it is causing).
  • if you are managing more servers (maybe similar ones) than it might be a good idea to do this manually. Why? well because if there is a problem with some update then you can save yourself valuable time to not solve the issue introduced by the update on many servers.

In case you are using the stable branch of debian:

  • in this case I am all behind automatic updates. The stable branch is very reliable and you should not see any problems caused by the updates.

Depending on how many systems are under management this might be true or not (if there are hundreds of servers, then maybe my above ideas are no longer true). But for someone managing a few servers (as myself) that should be a good option.

Today I will present you the manual approach and leave the automatic approach for a future article.

All you have to do is:

  • sync the lists of new/upgradeable packages
aptitude update
  • perform the actual update/s:
aptitude upgrade

You can get the same result using apt-get instead of aptitude. Depends on which tool you prefer (though they are very similar).

This will automatically download any updates available and check the dependencies (if needed suggest to get additional packages, etc). If there are any configuration files changed it will ask for an action if to keep your old modified version or install the package default one (this will be done automatically in case you have not changed the configuration file).

In future articles I will show how to tweak various aspects of this very important task: to keep your systems up-to-date.

comments powered by Disqus