You want to use a combination of these commands at different times: apt-get -qq update # necessary, no email desired
apt-get -dy upgrade # download minor updates, do not install, send email apt-get -y upgrade # install minor updates, send email apt-get -qqdy dist-upgrade # download major updates, do not install, no email apt-get -dy dist-upgrade # download major updates, do not install, send email apt-get -y dist-upgrade # install major updates, send email This is what I do: daily: apt-get -qq update && apt-get -qqdy dist-upgrade && apt-get -dy upgrade weekly: apt-get -y upgrade && apt-get -dy dist-upgrade monthly: apt-get -y dist-upgrade The daily cron job does not install anything and does not send email. It just loads the cache with everything (-qqdy dist-upgrade) and sends email about security updates (-dy upgrade). The weekly job installs upgrades and sends email about what it did, and also about which dist-upgrade packages it has downloaded (but not installed). The montly job does a dist-upgrade (I'm ok with this) and sends email. This approach is easy to tweak. What is important is that you can choose to download and send email and *not* install; this gives you a notice about what is available but requires you to manually log in and install them. For an environment with more critical servers you would scale this back; use apt-get dist-upgrade (no -y) or possibly even apt-get upgrade (no -y), which will send you email but not install anything automatically. ~mark Frédéric PICA wrote: > Ok, so apt-get update/upgrade -y in a cron job will work but what > about my first question ? > Lets say debian stable has foo-1.0 package. > I does apt-get upgrade -y in my cron job and one day I have foo-1.0 > updated to foo-1.0.1 for bugfix reason. > Meanwhile the author of foo release version 2, debian stable will not > upgrade the package because the version 2 add more features, have new > dependencies, ... > And now, the author release version 2.1, a critical security fix, > there is a flaw found from version 1 to 2. > The debian security team does it's work and first try to backport the > security fix but that time it's not possible so they have no other > choice to package version 2.1 in the security channel. > As version 2.1 has new dependencies requirements wich are not > installed, apt-get upgrade will not update that package, right ? > > Even if in 99% of the time, this will work great, I can't let this 1%. > I could let this 1% risk only if I have a way to be warned, the server > sending me automatically a mail for example, but I think there is no > way to do that because there is no way to interface ourself with apt > (no plugin system at that time) > > I am right ? > > FP > > 2007/6/7, Riku Valli <[EMAIL PROTECTED]>: >> >> Frédéric PICA wrote: >>> Thanks for your answer, >>> >>> So I need to do an apt-get dist-upgrade in my cron job to be sure to >>> always have the latest security fixes ? >>> What's the risk to have a needed package uninstalled by that way ? >>> >>> My goal is to have the latest security fixes for a server, but I >>> have to be sure that dist-upgrade will not broke my server by >>> removing needed pacakges, for example mod_php for apache or things >>> like that. >>> >>> FP >>> >>> 2007/6/7, Riku Valli <[EMAIL PROTECTED] >>> <mailto:[EMAIL PROTECTED]>>: >>> >>> Frédéric PICA wrote: >>> > Greets, >>> > >>> > I saw in 'man apt-get' that using apt-get upgrade does not >>> install new >>> > packages or remove an already installed package. >>> > Is it possible that I did'nt get the latest security fixes >>> using > apt-get upgade in a cron job ? >>> > I think particularly about security fixes that can't be retro- >>> ported > to the debian stable version and needs to upgrade the >>> package to the > latest author available version, what's going >>> on if the package > dependencies changes ? Does the security >>> patched will be installed > with it's new dependencies anyway >>> or does the package will not be > upgraded ? >>> > >>> > Thanks for your help, >>> > FP >>> > >>> > >>> Hi >>> >>> apt-get upgrade only upgrade your packages for newer version. >>> When package is upgraded this way at it need new extra >>> packages, then upgrade >>> can't upgrade your package. You must install it. >>> >>> >>> -- Riku >>> >>> >> Hi >> >> In normal case when you used Debian stable. You made only >> update/upgrade and possible need switch -y (assume yes for every >> question). At stable debencies normally never changes. This dist- >> upgrade is (at stable) only used when you updated Debian releases >> from older to newer. >> >> Older stable there was only one kernel upgrade which needed manually >> intervention. >> >> Maybe this is better explained man aptitude, see below. >> >> upgrade >> Upgrades installed packages to their most recent version. >> Installed >> packages will not be removed unless they are unused (see >> the section "Managing Automatically Installed Packages" >> in the aptitude >> reference manual); packages which are not currently >> installed will >> not be installed. >> >> If a package cannot be upgraded without violating these >> constraints, it will be kept at its current version. Use >> the dist-upgrade command to upgrade these packages as >> well. >> >> dist-upgrade >> Upgrades installed packages to their most recent version, >> removing >> or installing packages as necessary. This command is less >> conservative than upgrade and thus more likely to perform >> unwanted actions. Users are advised to either use upgrade >> instead or to carefully inspect the list of packages to be >> installed and removed. >> >> >> -- Riku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
