updates are a bless (fixes to problems, keep system secure from hackerz) but also a curse (it might break things)

on systems that follow the UNIX K.I.S.S principle, they should “just work”, to the extreme of (kernel) live patching (currently costs 500 bucks a year for ONE instance!)

timely updates for found security problems are critical.

semi-manual system update method:

there shall be a /script/update.sh which shall be run daily on times with little or no load to the system:

  1. incremental backup/snapshot before update
  2. perform the update
  3. perform a reboot (optional but probably wise to run the latest kernel)
  4. test “all” critical functionalities according to a pre-prepared list X-D
    • does it boot -> no -> revert snapshot/restore backup
    • is it possible to login -> no -> revert snapshot/restore backup
    • does it still do task x -> no -> revert snapshot/restore backup

crontab:

lsb_release -a; # tested
Description: Debian GNU/Linux 11 (bullseye)

su - root
crontab -e; # will run the update process every night at 3:00 am
0 3 * * * /scripts/update.sh

update script:

vim /scripts/update.sh
#!/bin/bash

echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log

apt update 2>&1 | tee -a /scripts/update.sh.log
apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log

echo "=== automatically removing un-needed packages (and old kernels) ==="
# keeping too many old kernel versions might fill up boot partition
apt -y autoremove | tee -a /scripts/update.sh.log
echo "=== fine ===" | tee -a /scripts/update.sh.log
echo "" | tee -a /scripts/update.sh.log

automatic updates?

CAN be also a good solution, if:

  1. the system is software wise very minimalistic (dedicated to one task only, again UNIX K.I.S.S principle)
  2. security of the update-servers need to be maximum strong (public internet facing server etc.)
  3. it is wise to auto-update only minor version of Debian distributions (10.8 -> 10.9)
    • upgrade between major versions (Debian 10 -> 11) should be done manually by the administration (they often work, but in comparison to complete re-install are a very very risky business)
    • thus: definitely BACKUP (OR BETTER SNAPSHOT) BEFORE MAJOR RELEASE UPGRADES! (DIST UPGRADE!)
      • also dist upgrades usually will prompt the user to review and accept or discard changes to system config files manually, so a complete automation is not (yet?) possible there

if those requirements are not met, go with semi-manual method:

  1. backup
  2. update
  3. test
  4. restore or keep

Also: it is wise to a have a test-test-system (as identical as possible to production) and test things out there, before applying it to production.

plus a list of test-cases that the test-system needs to meet, after updates were applied, so the system is guranteed to be in an “quality tested” state and very likely meet the functional requirements of production.

“Debian takes security very seriously.”

  • “We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.”
  • “Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public”
  • “and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.”
  • “Experience has shown that security through obscurity does not work.”
  • “Public disclosure allows for more rapid and better solutions to security problems.”
  • “In that vein, this page addresses Debian’s status with respect to various known security holes, which could potentially affect Debian.”
  • “Debian also participates in security standardization efforts:

src: https://www.debian.org/security/

Keeping your Debian system secure

“In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list.”

You can use apt to easily get the latest security updates. This requires a line such as

deb http://security.debian.org/debian-security buster/updates main contrib non-free

this is the default setting for /etc/apt/sources.list in
hostnamectl; # tested on
 Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-17-amd64
Architecture: x86-64

# how to update
su - root
apt-get update && apt-get upgrade

to download and apply the pending updates. The security archive is signed with the normal Debian archive signing keys.

For more information about security issues in Debian, please refer to the Security Team FAQ and a manual called Securing Debian.

apt-transport-https obsolete as apt can do https

requirement: /etc/apt/sources.list http -> https

no need to install apt-transport-https manually anymore, as it is “a dummy transitional package – https support has been moved into the apt package in 1.5. It can be safely removed”

IF (!!!) https is used in /etc/apt/sources.list (src)

which can be search & replaced like this in vim:

su - root
vim /etc/apt/sources.list
:%s/http:/https:/g
apt show -a apt-transport-https
Package: apt-transport-https
Version: 1.8.2.3
Priority: optional
Section: oldlibs
Source: apt
Maintainer: APT Development Team <deity@lists.debian.org>
Installed-Size: 156 kB
Depends: apt (>= 1.5~alpha4)
Tag: role::shared-lib
Download-Size: 149 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.halifax.rwth-aachen.de/debian buster/main amd64 Packages
Description: transitional package for https support
 This is a dummy transitional package - https support has been moved into
 the apt package in 1.5. It can be safely removed.

Package: apt-transport-https
Version: 1.8.2.2
Priority: optional
Section: admin
Source: apt
Maintainer: APT Development Team <deity ÄT lists DOTTTT debian DOTT org>
Installed-Size: 156 kB
Depends: apt (>= 1.5~alpha4)
Download-Size: 149 kB
APT-Sources: http://security.debian.org/debian-security buster/updates/main amd64 Packages
Description: transitional package for https support
 This is a dummy transitional package - https support has been moved into
 the apt package in 1.5. It can be safely removed.

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin