Is apt-get upgrade a dangerous command?

When I use apt-get update and apt-get upgrade,there are some packages should installed in newest version,like below:

The following packages will be upgraded:
  accountsservice apparmor apport apt apt-transport-https apt-utils binutils
  cloud-init cpp-4.8 dpkg fuse g++-4.8 gcc-4.8 gcc-4.8-base gdisk gnupg gpgv
  grub-common grub-legacy-ec2 grub-pc grub-pc-bin grub2-common initscripts
  isc-dhcp-client isc-dhcp-common libaccountsservice0 libapparmor-perl
  libapparmor1 libapt-inst1.5 libapt-pkg4.12 libasan0 libatomic1 libbsd0
  libcurl3-gnutls libdrm2 libedit2 libfuse2 libgcc-4.8-dev libgd3 libgomp1
  libitm1 libjson-c2 libjson0 libnuma1 libpam-systemd libpolkit-agent-1-0
  libpolkit-backend-1-0 libpolkit-gobject-1-0 libquadmath0 libstdc++-4.8-dev
  libstdc++6 libsystemd-daemon0 libsystemd-login0 libtsan0 libudev1 libxext6
  linux-libc-dev ntpdate openssl overlayroot patch policykit-1 ppp
  python-urllib3 python3-apport python3-problem-report python3-update-manager
  rsyslog systemd-services sysv-rc sysvinit-utils tcpdump tzdata udev
  update-manager-core
75 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

If I didn't know every one of there packages what will happen if there update in newest version.I shouldn't execute this command(apt-get upgrade).

For example:

This php version is before I upgrade

yzxu@ubuntu:/tmp/git-2.1.2$ php --version
PHP 5.6.6-1+deb.sury.org~precise+1 (cli) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

and after I upgrade:

yzxu@ubuntu:/tmp/git-2.1.2$ php --version
PHP 5.6.10-1+deb.sury.org~precise+1 (cli) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

The php version is changed.And if I didn't what what was change in two version,should I upgrade it?Is it will influence product?


Solution 1:

apt-get update

Refreshes the repositories and fetches information about packages that are available online.

apt-get upgrade

Downloads and installs updates for all installed packages - as long as it doesn't bother dependencies (install new packages, remove old ones or crosses a repo source (switch a package from one repo to another)).

apt-get dist-upgrade

Does the same as "upgrade" but upgrades a package also when dependencies or sources are changed (something you want to avoid on servers without further testing).

To conclude - an update can break things but it is necessary! So if you are on a desktop you should normally do a:

sudo apt-get update && sudo apt-get dist-upgrade

Without destroying something.

On a server most of the times a:

sudo apt-get update && sudo apt-get upgrade

should be enough AND security updates should be installed automatically (on servers and desktops)

Update to 16.04

Meanwhile the "apt" wrapper is the standard way in Ubuntu, so the commands are now:

sudo apt update        #to update the repo-information

sudo apt upgrade       #to install all security fixes and changes that doesn't harm the system or change the behaviour

sudo apt full-upgrade  #the new "dist-upgrade" that installs newer versions that can break backwards-compatibility

TL;DR!

Yes, you should update PHP in this example because it is a security fix (this can be seen through the versioning scheme of PHP; it also wouldn't have been pushed into the "upgrade" channel of Ubuntu.)

Solution 2:

I have 3 years experience of using Ubuntu, from 16.04 LTS 18.04 LTS to 20.04 LTS.

I used to do upgrade before, like doing

sudo apt-get update && sudo apt-get upgrade

or when System Updater pops up, click install as most of people suggested online and I trusted them. I think that upgrade would make the system more stable, more better and more secure, but actually it made more problems... These behaviours had caused many many bugs so that I had spent lots of time debugging or reinstalling my system. For examples, broken grub, broken wifi driver, broken nvidia driver, broken DNS resolver... etc.

And recently, I have figured it out.

My opinion is not never doing upgrade. The reason why I always got lots of bugs is that apt-get upgrade will upgrade a lots of packages you do not know. If one of these packages do something wrong, there would cause some bugs. The more packages you upgrade, the more risk your system would encounter. So my solution would be always upgrade specific packages you want to upgrade by doing so:

sudo apt-get update

sudo apt-get --only-upgrade install <packages name>

And when you want to do sudo apt-get upgrade, it takes risks. If the system go well, lucky. If not, debug or reinstall.

But how about security update, is it still safe?

In the Software & Updates, Updates section, if you choose security updates as the options "Download and install automatically", /usr/bin/unattended-upgrade would handle the security update automatically.

You can check by

less /var/log/apt/history.log