Should I have to enable automatic update on Debian lenny stable?

Question

I have installed a new Linux Debian lenny server that will be a LAMP and a Subversion server. Should I have to enable automatic updates?

If I enable it, I am sure that I have the latest security patches. It also should not break my system since Debian stable provides only security patches. If I install them manually, I may be on high security risk during multiple days & week.

Please keep in mind that I am not an full time system administrator, so I do not have the time to look at security bulletins.

What are you usually doing with your servers? What is your advice?

Answer 1

(Warnings regarding automatic upgrades have already been voiced by previous posters.)

Given the track record of the Debian Security team in the last few years, I consider the risks of broken upgrades far less than the benefit of having automatic updates on seldom-visited systems.

Debian Lenny comes with unattended-upgrades, which originated from Ubuntu and is considered to be the defacto solution for unattended upgrades for Debian starting from Lenny/5.0.

To get it up and running on a Debian system you need to install the unattended-upgrades package.

Then add these lines to /etc/apt/apt.conf:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

(Note: In Debian Squeeze/6.0 there is no /etc/apt/apt.conf. The preferred method is to use the following command, which will create the above lines in /etc/apt/apt.conf.d/20auto-upgrades:)

sudo dpkg-reconfigure -plow unattended-upgrades

A cron job is then run nightly and checks if there are security updates which need to be installed.

Actions by unattended-upgrades can be monitored in /var/log/unattended-upgrades/. Be wary, that for kernel security fixes to become active, you need to reboot the server manually. This can also be done automatically in course of a planned (e.g. monthly) maintenance window.

Answer 2

Apt now comes with its own cron job /etc/cron.daily/apt and documentaion is found in the file itself:

#set -e
#    
# This file understands the following apt configuration variables:
#
#  "APT::Periodic::Update-Package-Lists=1"
#  - Do "apt-get update" automatically every n-days (0=disable)
#
#  "APT::Periodic::Download-Upgradeable-Packages=0",
#  - Do "apt-get upgrade --download-only" every n-days (0=disable)
#
#  "APT::Periodic::AutocleanInterval"
#  - Do "apt-get autoclean" every n-days (0=disable)
#
#  "APT::Periodic::Unattended-Upgrade"
#  - Run the "unattended-upgrade" security upgrade script
#    every n-days (0=disabled)
#    Requires the package "unattended-upgrades" and will write
#    a log in /var/log/unattended-upgrades
#
#  "APT::Archives::MaxAge",
#  - Set maximum allowed age of a cache package file. If a cache
#    package file is older it is deleted (0=disable)
#
#  "APT::Archives::MaxSize",
#  - Set maximum size of the cache in MB (0=disable). If the cache
#    is bigger, cached package files are deleted until the size
#    requirement is met (the biggest packages will be deleted
#    first).
#
#  "APT::Archives::MinAge"
#  - Set minimum age of a package file. If a file is younger it
#    will not be deleted (0=disable). Usefull to prevent races
#    and to keep backups of the packages for emergency.

Answer 3

Just install apticron and change the EMAIL= setting in /etc/apticron/apticron.conf

Apticron will check for the latest updates and download them. It will NOT install them. It will send you a mail with the updates that is pending.

Answer 4

My advice: yes, get the security updates automatically. I had a dedicated Debian server about 4 years ago, without automated updates. I went on vacation around Christmas when a worm was released that exploited a known vulnerability in the distribution (don't remember which one). When I returned from vacation, my server was hacked.

For me, the risk to break the application is very low, much lower than being hacked by running versions with well known vulnerabilities.

Answer 5

I never use automatic updates. I like upgrades to be done when I'm around have time to clean things up if it goes wrong. If you don't want to deal with security bulletins decide how long you are comfortable between checking for updates and just decide to do updates every week. It's as simple as: "aptitude update; aptitude dist-upgrade (or aptitude safe-upgrade)"

I prefer dedicating a little bit of time to this than to have my mail server go away suddenly and not come back up automatically.

Answer 6

I would recommend that you configure apt to check for updates daily, but to only notify you that they are available, and not perform them until you are around. There's always a chance that an apt-get upgrade will break something, or require some user input.

apticron is a good package to do this for you, or you could just make a cron job that executes something like:

apt-get update -qq; apt-get upgrade -duyq

I would recommend upgrading anytime you see something high priority or greater - but I also don't like to wait until there are 30 or 40 upgrades to perform - because then if something breaks it's harder to narrow-down exactly which package broke your system.

Also, depending on what packages you are running on your LAMP server, you may want to add the debian volitile and/or dotdeb repositories to your repository list, since they keep much more on top of patches and virus pattern updates than debian's standard repos do.

Answer 7

We use cron-apt to automate downloads, and based on advice I saw here on SF we now include a source list with just security repositories in the cron-apt config file, so only security fixes are automatically installed without any further action.