Is automatic installation of updates from "security" repository a good choice? - please share your experience.

[iceblink]

On 2015-04-09 13:22, Rafał Radecki wrote:
> Hi All :)
> 
> I currently have to implement a solution for checking and/or automatic
> installation of security updates on ubuntu servers.
> I know that I can check if there are available security updates
> through several methods:
> 
> 1) # unattended-upgrade --dry-run
> 
> 2) #apt-get -s dist-upgrade | grep "^Inst" | grep -i security"
> 3) put all security repositories to a dedicated file (for example
> /etc/apt/security.sources.list) and run
>     #apt-get -u upgrade --assume-no -o
> Dir::Etc::SourceList=/etc/apt/security.sources.list
> 
> In https://help.ubuntu.com/community/Repositories/Ubuntu [1] it is
> stated that:
> 
> "Important Security Updates (raring-security)". Patches for security
> vulnerabilities in Ubuntu packages. They are managed by the Ubuntu
> Security Team and are designed to change the behavior of the package
> as little as possible -- in fact, the minimum required to resolve the
> security problem. As a result, they tend to be very low-risk to apply
> and all users are urged to apply security updates."
> 
> Do you think that automatic installation of updates available in
> security repository is a good choice? I can use any of the commands
> from 1) to 3) after disabling dry-run mode for them. What is your
> experience in this case?
> 
> BR,
> Rafal.

I've used unattended-upgrades to automatically install security updates 
on a LAMP server for many years now, and never had a problem. The system 
will install all patches as soon as they are available. If a restart is 
required the system will not reboot by itself, this requires a manual 
intervention. That is exactly how i like it, because the server spends 
quite a bit of time running a MySQL script on a huge database, and i'd 
hate to reboot in the middle of that.

But I guess it all depends on what you do with your servers.

Best regards,
Patrick