On my own computer, I have been used to run apt-get upgrade directly for years.
But few days ago I have a chance to admin a ubuntu server. I guess my old habit is bad.
Should/how I update security updates only to minimize dependence issus?
And how can I confirm the source is trustworthy(by SHA or other hash), keep the middleman attack away?
Using apt-get is fine on an Ubuntu system. If you only want to include security related updates, make sure that you don't have the lucid-updates distro in your source list (i.e. only have lucid and lucid-security). All the package tools will verify GPG signatures and SHA hashes by default, and will explicitly prompt you to continue if they are unable to do so.
