Should I have to enable automatic update on Debian lenny stable?

security linux debian update

(Warnings regarding automatic upgrades have already been voiced by previous posters.)

Given the track record of the Debian Security team in the last few years, I consider the risks of broken upgrades far less than the benefit of having automatic updates on seldom-visited systems.

Debian Lenny comes with unattended-upgrades, which originated from Ubuntu and is considered to be the defacto solution for unattended upgrades for Debian starting from Lenny/5.0.

To get it up and running on a Debian system you need to install the unattended-upgrades package.

Then add these lines to /etc/apt/apt.conf:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

(Note: In Debian Squeeze/6.0 there is no /etc/apt/apt.conf. The preferred method is to use the following command, which will create the above lines in /etc/apt/apt.conf.d/20auto-upgrades:)

sudo dpkg-reconfigure -plow unattended-upgrades

A cron job is then run nightly and checks if there are security updates which need to be installed.

Actions by unattended-upgrades can be monitored in /var/log/unattended-upgrades/. Be wary, that for kernel security fixes to become active, you need to reboot the server manually. This can also be done automatically in course of a planned (e.g. monthly) maintenance window.


Apt now comes with its own cron job /etc/cron.daily/apt and documentaion is found in the file itself:

#set -e
#    
# This file understands the following apt configuration variables:
#
#  "APT::Periodic::Update-Package-Lists=1"
#  - Do "apt-get update" automatically every n-days (0=disable)
#
#  "APT::Periodic::Download-Upgradeable-Packages=0",
#  - Do "apt-get upgrade --download-only" every n-days (0=disable)
#
#  "APT::Periodic::AutocleanInterval"
#  - Do "apt-get autoclean" every n-days (0=disable)
#
#  "APT::Periodic::Unattended-Upgrade"
#  - Run the "unattended-upgrade" security upgrade script
#    every n-days (0=disabled)
#    Requires the package "unattended-upgrades" and will write
#    a log in /var/log/unattended-upgrades
#
#  "APT::Archives::MaxAge",
#  - Set maximum allowed age of a cache package file. If a cache
#    package file is older it is deleted (0=disable)
#
#  "APT::Archives::MaxSize",
#  - Set maximum size of the cache in MB (0=disable). If the cache
#    is bigger, cached package files are deleted until the size
#    requirement is met (the biggest packages will be deleted
#    first).
#
#  "APT::Archives::MinAge"
#  - Set minimum age of a package file. If a file is younger it
#    will not be deleted (0=disable). Usefull to prevent races
#    and to keep backups of the packages for emergency.

Just install apticron and change the EMAIL= setting in /etc/apticron/apticron.conf

Apticron will check for the latest updates and download them. It will NOT install them. It will send you a mail with the updates that is pending.


My advice: yes, get the security updates automatically. I had a dedicated Debian server about 4 years ago, without automated updates. I went on vacation around Christmas when a worm was released that exploited a known vulnerability in the distribution (don't remember which one). When I returned from vacation, my server was hacked.

For me, the risk to break the application is very low, much lower than being hacked by running versions with well known vulnerabilities.

Related

What is the difference between Authoritative Nameserver and Recursive Resolver?
What are SMTP relays and smarthosts?
Run a bash script after EC2 instance boots
Force systemd timesyncd to sync time with NTP server immediately
Techniques to Monitor cron tasks?
Windows shares via command line with user/pass, without mapping the drive? [closed]
How to set ulimit value permanently?
Is there a way to make journalctl show logs from "the last time foo.service ran"?
CentOS 7 - end of life in 2024, then what
How precise is a cron daemon?
How can I keep the content I was reading from man after I quit?
How to add directives to php.ini on AWS Elastic Beanstalk?