[Post updated to reflect the fact that Unattended Upgrades will by default update all packages and not just security packages as of Debian Buster and later.]
Linux Mint has recently found that a lot of its users don't apply updates, according to The Register. Why? "The idea of leaving something alone if it works seems attractive", suggests the article. The article also points out that some updates fix security vulnerabilities that "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
The Linux Mint Blog has a post on the importance of applying security updates, especially in web browsers like Firefox.
It is true that updates can cause problems. One option is for the system administrator to keep an eye on available security updates, research any potential issues, and monitor the system for any issues after installation.
Another option is to have your computer automatically apply security updates. This has been the default in Gnome on Debian since Debian 9 (Stretch).
This is the approach I have always taken, and in over ten years of using Debian, I have never noticed a security update cause a problem.
Firefox would occasionally update itself in the background and tell me that it needed to be restarted, and of course other security updates would be applied automatically too. I believe the default behaviour is for a Gnome notification of updates available to appear, before the updates are applied automatically. This is the behaviour I have observed anyway: there's sometimes a notification of updates available, then later on when you check the Gnome software centre reports the system is up to date. Other times the available updates remain until you take action to install them using APT, Synaptic or the Gnome software centre itself.
However, after a fresh install of Debian Bullseye with XFCE, I found that the system didn't do updates at all: not even notifications of available updates, let alone automatic installation.
In two previous posts I detailed two steps to take:
In this post I am going to describe how to enable installation of security updates.
The short answer is to install unattended-upgrades from the Debian repository, which will enable automatic package list update and automatically install security updates by default.
But what does it do?
As described in the first of the two posts above, on Debian Systemd runs a system scheduler which contains a timer called apt-daily.timer. By default it doesnt do anything, but installing apt-config-auto-update configures APT to check for updates when triggered by the timer.
unattended-upgrades installs a configuration file that tells APT to check for updates and automatically install security updates.
This file is 20auto-upgrades found in /etc/apt/apt.conf.d/.
The default contents are:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
unattended-upgrades also installs another configuration file called 50unattended-upgrades which tells APT what to update.
Unattended-Upgrade::Origins-Pattern {
// "origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
The default is to apply security [stable] updates (whatever the Debian version), but it's also possible automatically install other updates by uncommenting the applicable lines.
Just be sure to have the Debian security repository enabled in the Debian sources list and don't worry about missing security updates again!
Notes:
1) I believe the file 10periodic installed by apt-config-auto-update overrides 20auto-upgrades installed by unattended-upgrades.
2) You can add lines to 20auto-upgrades, for example
APT::Periodic::AutocleanInterval "7";
to clean up APT's cache every week.
3) The Debian Unattended Upgrades page contains information about how to be notified or view logs of updates applied.
Edit: The default for Unattended Upgrades was changed in Debian Buster, and now allows "stable" updates. The Debian Wiki says that Unattended Upgrades installs "security (and other)" updates, which to me implies that "other" is optional, but I found a note in the "News" file (found in /usr/share/doc/unattended-upgrades) which states:
Unattended-upgrades in previous versions defaulted to install
security updates only on Debian by using the label=Debian-Security
origin pattern. Now it is changed to allow updates with label=Debian,
which allows applying stable updates in stable releases and following
all package updates in testing and unstable.
In stable releases this unlocks installation of security updates
depending on package versions present only in stable updates.
I am not entirely sure what the last paragraph means, but I will observe my Buster system to see what it is doing. On my Bullseye computer, (currently Testing), the default install of Unattended Upgrades is definitely installing all package updates automatically.
Update: on Buster I have observed that the default setting installs security updates automatically, but point updates have to be installed manually.