timely updates for found security problems are critical.
semi-manual system update method:
there shall be a /script/update.sh which shall be run, by the admin every week or every month on a fixed date manually:
- incremental backup (or even better snapshot) before update
- perform the update
- perform a reboot (as this is usually needed to make changes such as new kernels active)
lsb_release -a; # tested Description: Debian GNU/Linux 11 (bullseye) su - root crontab -e; # will run the update process every night at 3:00 am 0 3 * * * /scripts/update.sh
vim /scripts/update.sh #!/bin/bash echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log apt update 2>&1 | tee -a /scripts/update.sh.log apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log echo "=== automatically removing un-needed packages (and old kernels) ===" # keeping too many old kernel versions might fill up boot partition apt -y autoremove | tee -a /scripts/update.sh.log echo "=== fine ===" | tee -a /scripts/update.sh.log echo "" | tee -a /scripts/update.sh.log
CAN be also a good solution, if:
- the system is software wise very minimalistic (dedicated to one task only)
- security of the update-servers need to be maximum strong
- it is probably wise to auto-update only do minor version of Debian distributions (10.8 -> 10.9)
- automatic upgrade between major versions (Debian 10 -> 11) will often work (thanks for that good work) but are risky
- thus: definitely BACKUP (OR BETTER SNAPSHOT) MAJOR RELEASE UPGRADES! (DIST UPGRADE!)
- also dist upgrades usually will prompt the user to review and accept or discard changes to system config files
if those requirements are not met, go with semi-manual method above.
Also: it is wise to a have a non-production test-system plus a list of test-cases that the test-system needs to meet, before applying updates to production-systems.
“Debian takes security very seriously.”
- “We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.”
- “Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public”
- “and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.”
- “Experience has shown that
security through obscuritydoes not work.”
- “Public disclosure allows for more rapid and better solutions to security problems.”
- “In that vein, this page addresses Debian’s status with respect to various known security holes, which could potentially affect Debian.”
- “Debian also participates in security standardization efforts:
“In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list.”
You can use apt to easily get the latest security updates. This requires a line such as
deb http://security.debian.org/debian-security buster/updates main contrib non-free
this is the default setting for /etc/apt/sources.list in hostnamectl; # tested on Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-17-amd64 Architecture: x86-64 # how to update
su - root apt-get update && apt-get upgrade
to download and apply the pending updates. The security archive is signed with the normal Debian archive signing keys.
apt-transport-https obsolete as apt can do https
requirement: /etc/apt/sources.list http -> https
no need to install apt-transport-https manually anymore, as it is “a dummy transitional package – https support has been moved into the apt package in 1.5. It can be safely removed”
IF (!!!) https is used in /etc/apt/sources.list (src)
which can be search & replaced like this in vim:
su - root vim /etc/apt/sources.list :%s/http:/https:/g
apt show -a apt-transport-https Package: apt-transport-https Version: 188.8.131.52 Priority: optional Section: oldlibs Source: apt Maintainer: APT Development Team <firstname.lastname@example.org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Tag: role::shared-lib Download-Size: 149 kB APT-Manual-Installed: yes APT-Sources: http://ftp.halifax.rwth-aachen.de/debian buster/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed. Package: apt-transport-https Version: 184.108.40.206 Priority: optional Section: admin Source: apt Maintainer: APT Development Team <deity ÄT lists DOTTTT debian DOTT org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Download-Size: 149 kB APT-Sources: http://security.debian.org/debian-security buster/updates/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed.