relying on aptitude to keep an OS up to date with security patches

entropyagent · 2021-06-09 00:48:14

I need a bit of a reality check - can you help shatter a possibly harmful illusion?

Are there Debian-based distributions (with aptitude installed) where one cannot rely on "aptitude update; aptitude full-upgrade" to keep the OS up to date with all security patches ?

It has been an article of faith to me for at least 10 years, that this is how I keep my system up to date. Perhaps it was all an illusion? Maybe letting go of these fanciful notions is necessary in order to grow up. Is it time to grow up?

Can the OS in a Debian install (assuming appropriate sources and aptitude installed) be kept up to date with all security patches, with regular use of "aptitude update; aptitude full-upgrade"?

*buntu?
Mint?
Devuan?

I am prepared to consider understanding that if 'upstream' stops supporting an app, e.g. Thunderbird 52, it might be difficult to just fling newer versions into position, invisibly, without special arrangements. Also, something esoteric like a "netinstall" might leave things out (as mentioned here https://dev1galaxy.org/viewtopic.php?id=4231) But the kernel?

Camtaf · 2021-06-09 08:48:07

If you really want to be up to date, you will have to compile the software & kernel yourself - otherwise you have to wait for someone else to do it & post it to the repos.

Last edited by Camtaf (2021-06-09 08:49:09)

fsmithred · 2021-06-09 13:04:19

i don't know what others do, but 'aptitude update && aptitude full-upgrade' will work properly in debian/devuan. You do need to have a line for the security repo in sources.list, but that's usually there by default.

I'm pretty sure that works in ubuntu, too. I'm not sure about mint. They break up their releases differently from the others.

entropyagent · 2021-06-10 00:14:31

Camtaf wrote:

If you really want to be up to date, you will have to compile the software & kernel yourself - otherwise you have to wait for someone else to do it & post it to the repos.

I have the idea that this is why I don't run Slackware? May Saint Patrick live long and prosper, but I am not l33t enough keep on top of security advisories and dependencies.

fsmithred wrote:

i don't know what others do, but 'aptitude update && aptitude full-upgrade' will work properly in debian/devuan. You do need to have a line for the security repo in sources.list, but that's usually there by default.
I'm pretty sure that works in ubuntu, too. I'm not sure about mint. They break up their releases differently from the others.

Your words give me great comfort, and I thank you. I enquired of another distro why my kernel appeared to have remained unchanged for more than a year, and was told that 'auto-update' kernels were a recent introduction. Announcements were made, but it seems I missed the bit about apt alone not being enough.

I asked:
"Am I correct in assuming that every --- user who installed a version before ----, and relied on the apt system to update it, has been left on their original/install kernel, possibly for years?"

And was told:
"Possibly. But we announced the kernel updates prior and provided the methodology in " a separate (very useful) utility

So...it could be argued the fault was in my assumption. And not paying attention? So I asked the question here, and am paying attention to the answer. You could say I am trying to be an apt student.

Can I trust this sources.list from https://www.devuan.org/os/documentation … owulf.html as canon, at least until suitable mirrors are chosen?

/etc/apt/sources.list

deb http://deb.devuan.org/merged beowulf main
deb http://deb.devuan.org/merged beowulf-updates main
deb http://deb.devuan.org/merged beowulf-security main

Thanks again.

Camtaf · 2021-06-10 09:09:07

To upgrade a kernel...

How To Upgrade Linux Kernel
The easiest way to do this is to install one of the supplied Linux kernel image packages on your system. They may be obtained using apt-get or aptitude if you want to use the command line, or Synaptic if you want to use a GUI.
To install a Linux kernel image, you first have to decide which one you want to use. Start with
apt-cache search linux-image
Note that images are available for several flavours - depending on your architecture.
A good overview on available versions can also be seen at linux.
The latest version can be installed using:
$ sudo apt install linux-image-<flavour>

I only rarely bother, as I normally just update/upgrade the system files, but, if a major flaw has been found, then it's time for a newer kernel.

Last edited by Camtaf (2021-06-10 09:10:53)

fsmithred · 2021-06-10 13:18:23

Here's a little more explanation about what Camtaf posted -

If you install one of the kernel metapackages, you will always get the latest kernel on upgrade. Those packages are named like linux-image-amd64 or other linux-image-<arch>. Metapackages don't do anything themselves except automatically pull in other packages.

Without the metapackage, you need to manually install newer kernels when they come along. The actual kernel packages have the version in the package name, like linux-image-4.19.0-16-amd64 for instance.

entropyagent · 2021-06-10 15:08:36

Camtaf wrote:

I normally just update/upgrade the system files

Hi Camtaf

I am interpreting your statement here as doing exactly what I have been doing (for years), where I say I

entropyagent wrote:

rely on "aptitude update; aptitude full-upgrade" to keep the OS up to date with all security patches

Is my interpretation of your statement correct?

I feel as if the bicycle helmet that I have been using for years for brainial safety has just been revealed to be made of millimetre-thick hand-blown Venetian glass, so I am not sure I am being entirely rational here.

Because of this, I am trying to check my assumptions. (If we are agreeing, we soon find ourselves banned from the Internet for improper use of a forum)

As part of the assumption-checking progress, I need to consider that I was at fault in not becoming aware of this situation you mention here:

Camtaf wrote:

but, if a major flaw has been found, then it's time for a newer kernel.

Perhaps it was unreasonable of me to expect the distro to phone or knock on my door, or post an alert in large flaming letters on my desktop, just for the few old duffers who don't use their newer (admittedly interesting) homegrown package installer. I imagine that this is what the News and Announcements section of the forum is for. I do have the idea that if an update is recommended by the The Team, the words "recommended by The Team" should be included. And perhaps "the update is only available through our homegrown package installer - I hope you're reading this, old duffers who only use aptitude".

It seems the distro has actually acknowledged a problem by moving to 'auto-updating' kernels (in "refreshes" that came after my installs) by what appears to be the mechanism of kernel metapackages like the one fsmithred describes - wasn't this revolutionary technology invented in the noughties?

Of course, sometimes a kernel reaches EOL - how do distros deal with this? It's probably beyond the metapackagers art. Is this, once again, a job for "News and Announcements"?

Head_on_a_Stick · 2021-06-10 17:48:14

entropyagent wrote:

Of course, sometimes a kernel reaches EOL - how do distros deal with this? It's probably beyond the metapackagers art. Is this, once again, a job for "News and Announcements"?

Ben Hutchins works in close collaboration with the upstream kernel developers and maintains Debian's LTS kernel until that branch goes EOL.

Camtaf · 2021-06-10 18:00:53

Is my interpretation of your statement correct?

Yes.

Most problems seem to come from some program or other, so upgrading installed programs is mainly what I do - I'm just a 'desktop user''.

P.S. By the way, I use apt-get, always have, but there's no difference.

Last edited by Camtaf (2021-06-10 18:03:25)

entropyagent · 2021-06-10 18:38:30

Just as part of my newly-awakened interest in assumption-checking: Could it happen that an installed kernel, kept up-to-date via my mindless "aptitude update; aptitude full-upgrade", reaches a point where it no longer receives bugfixes & security updates (Is this the EOL concept?) but the distribution is still maintained ? Is this impossible by definition? Or could a plan be made to migrate to another kernel while retaining the rest of the installed distribution/GNU utilities/installed programs/etc?

Like changing the handle on my grandfather's axe?

Would this be arranged automagically via e.g. the metapackage mechanism, or via an announcement in News and Announcements on dev1galaxy.org?

I am trying to get a handle on the barest minimum I need to do, to return to smirking smugly at people on outdated OSs.

golinux · 2021-06-10 19:28:13

Follow upstream updates on Debian. Here are two that I found with a simple search. You can join their mailing lists for the ones that suit you:
https://www.debian.org/News/2021/
https://wiki.debian.org/StableUpdates

All the updated Debian packages will be pulled in through the Devuan repos.

clnr · 2021-06-11 08:27:59

I subscribe to the Debian security-announce mailling list to keep myself updated.
https://lists.debian.org/debian-security-announce/
Another way would be to follow this page with an RSS reader:
https://www.debian.org/security/

Head_on_a_Stick · 2021-06-11 14:05:23

entropyagent wrote:

Could it happen that an installed kernel, kept up-to-date via my mindless "aptitude update; aptitude full-upgrade", reaches a point where it no longer receives bugfixes & security updates (Is this the EOL concept?) but the distribution is still maintained ?

No.

For example, Devuan beowulf uses the 4.19 LTS branch and that is supported until December 2024[0]; beowulf itself is due to go EOL in June 2024[1].

entropyagent · 2021-06-13 19:19:59

Thanks for the links, references, reminder about the LTS kernel, and the..er..simple search. I have fired up Liferea RSS reader and Thunderbird's RSS reader for the first time. They may be trying to tell me a bit too much about how the sausage is made, though.

It is perhaps a *little* disappointing that all the links point away from Devuan, but of course this is a tiny team trying to wrangle a monstrous stampede of catsnakes, and this is actually a complicated issue. Perhaps I could ask that if ever an extra mechanism besides aptitude is needed to keep a system up-to-date with security patches, a Devuan-specific advisory is posted in News and Announcements?

golinux · 2021-06-13 19:33:14

AFAIK, security patches come directly from Debian. Devuan does not touch 99% of Debian packages.

The officially official Devuan Forum!

#1 2021-06-09 00:48:14

relying on aptitude to keep an OS up to date with security patches

#2 2021-06-09 08:48:07

Re: relying on aptitude to keep an OS up to date with security patches

#3 2021-06-09 13:04:19

Re: relying on aptitude to keep an OS up to date with security patches

#4 2021-06-10 00:14:31

Re: relying on aptitude to keep an OS up to date with security patches

#5 2021-06-10 09:09:07

Re: relying on aptitude to keep an OS up to date with security patches

#6 2021-06-10 13:18:23

Re: relying on aptitude to keep an OS up to date with security patches

#7 2021-06-10 15:08:36

Re: relying on aptitude to keep an OS up to date with security patches

#8 2021-06-10 17:48:14

Re: relying on aptitude to keep an OS up to date with security patches

#9 2021-06-10 18:00:53

Re: relying on aptitude to keep an OS up to date with security patches

#10 2021-06-10 18:38:30

Re: relying on aptitude to keep an OS up to date with security patches

#11 2021-06-10 19:28:13

Re: relying on aptitude to keep an OS up to date with security patches

#12 2021-06-11 08:27:59

Re: relying on aptitude to keep an OS up to date with security patches

#13 2021-06-11 14:05:23

Re: relying on aptitude to keep an OS up to date with security patches

#14 2021-06-13 19:19:59

Re: relying on aptitude to keep an OS up to date with security patches

#15 2021-06-13 19:33:14

Re: relying on aptitude to keep an OS up to date with security patches

Board footer