Debian and apt upgrade

Question

I have GNU/Linux Debian Servers (Etch/Lenny) in production. I want theses systems to stay up to date. I have installed apticron with tells me what packet needs an upgrade. What is the good practice for production servers and stable releases of debian:

always upgrade all packets (risky or not on debian stable?) OR
only apply security updates (enough or not?)

Thanks!

score 7 · Answer 1 · edited Mar 08 '17 at 17:58

7

I usually make every update on the stable branch, no problems for years and years even passing from a release to another.

My servers live with a daily, manually run, upgrade-system (great tool) and they have been updated and upgraded from Woody to Lenny quite simply.

Of course I do not make the updates via cron, I get only the updates availability this way.

In case of core packages such as glibc I first test the update on a non production machine, of course.

PS: I strongly recoment upgrade-system, as it runs deborphan too and helps to keep the system up to date and clean at the same time

My 2 cents

Edit:
Note that inside a given release (Lenny for examples), could perfectly be a "sub-release", say 5.0-r1, 5.0-r2 and so on. alt text

As reported in the wikipedia page on Debian, a stable release can be updated to fulfill security and/or usability issues:

"stable, presently aliased lenny, is the current release that has stable and well tested software. Stable is made by freezing testing for a few months where bugs are fixed in order to make the distribution as stable as possible; then the resulting system is released as stable. It is updated only if major security or usability fixes are incorporated."

The short answer to asdmin's opposition is that it is perfectly possible to have non security related updates even inside the same major stable release

edited Mar 08 '17 at 17:58

Community

1

answered Aug 12 '09 at 08:58

drAlberT

10,949
7
39
52

Thanks for the upgrade-system flag, but you could get away with using aptitude for the same idea. – David Rickman Aug 12 '09 at 09:18
aptitude is much more interactive, upgrade-system instead makes everything needed just running it. de gustibus non disputandum est, of course :) – drAlberT Aug 12 '09 at 09:47
debian will not ship new softwares for stable distributions between 2 releases. all new packages will be security fixes on the same versions – asdmin Aug 12 '09 at 10:12
@AlberT, of course. – David Rickman Aug 12 '09 at 10:14
about updates on usability issue: at debian, usability issue is not about cosmetics. most of the time, even from the highest demand from debian community, the release will stand, even it's not quite usable (see php+gd problem). btw it's the major reason why the freezing time is usually so long – asdmin Aug 12 '09 at 13:17
@asdmin, nihil novi sub sole I think. I suggest to take a look to the debian ChangeLog (http://www.debian.org/News/2009/20090627), libnet-rawip-perl is and axample, to immediately understand that fixes are done in subsequent release updates even if they are not strictly security related – drAlberT Aug 12 '09 at 13:53

asdmin · Accepted Answer · 2009-08-17T13:51:40.567

5

once you got a Debian stable release installed (etch,for your example) you will not have anything but security fixes to install. Debian's policy is not to change/upgrade the softwares within a given release but just provide a fix for problems which has been discovered between two releases.

by the way, I wouldn't let anything do the upgrade but myself. A malformed install/init script will make your system unavailable in a minute, therefore you can and shall use download helpers, but do not let the upgrade process go unsupervised.

edited Aug 17 '09 at 13:51

answered Aug 12 '09 at 10:08

asdmin

2,050
17
28

The point is what you are naming "a release", debian makes updates inside the same Major release (say Lenny for example), updating it from initial version to r1, r2 and so on. – drAlberT Aug 12 '09 at 10:46
1

the bug fixes are done by patches maintaining the same program version over the given (for example, etch) release. when a stable distribution gets old, security fixes are applied on the installation media (install dvds, cds), re-releasing them then incrementing r. Current release is 5.0.2 which is lenny r2. The next debian distribution will be called Squeeze r0 – asdmin Aug 12 '09 at 13:09

score 3 · Answer 3 · edited Apr 13 '17 at 12:14

3

In this similar question there's an answer pointing to the very promising apt-dater program, where you can manage updates and install packages from a central location with a ncurses interface.

edited Apr 13 '17 at 12:14

Community

1

answered Aug 12 '09 at 10:41

chmeee

7,370
3
30
43

I didn't known about apt-dater, it seems good. Will try it. +1 – drAlberT Aug 13 '09 at 09:33

score 1 · Answer 4 · edited Apr 13 '17 at 12:14

I have started using cron-apt after I asked a similiar question and have found it to be quite useful.

Cron-apt downloads the updates and can send an e-mail when there are new differences so that you can manually upgrade.

I currently have it set up so that it checks for new updates every night and mails me the when there are new updates to be installed.

I only download and install updates for stable packages and usually do a short check on the release notes (if any) so that I know what I am actually upgrading.

Debian and apt upgrade

4 Answers4