I recently wrote several posts on updates in Debian, on XFCE and Gnome, Bullseye and Buster.
The default, I wrote, was no notifications of updates by default on XFCE in Bullseye, and no automatic updates, and notification of updates and automatic installation of security updates in Gnome on Buster.
However, after applying the same default to XFCE, I noticed that I was actually getting automatic updates to all packages.
Sure enough, Gnome on Buster was also getting more than security updates.
It turns out that unattended-upgrades (the package which installs automatic updates in Debian, actually updates all packages by default in Debian Buster and later. (The default in previous version of Debian was security updates only.)
I discovered this in a post on the Debian User Forum, which linked to the Debian Buster release information page. I found the NEWS.Debian file thanks to Debian documentation.
It reads:
Unattended-upgrades in previous versions defaulted to install security updates only on Debian by using the label=Debian-Security origin pattern. Now it is changed to allow updates with label=Debian, which allows applying stable updates in stable releases and following all package updates in testing and unstable.
In stable releases this unlocks installation of security updates depending on package versions present only in stable updates.
Note that testing and unstable can often contain packages for which installation or upgrade performed by unattended-upgrades fails and requires the administrator to fix the system later.
My fault then for not reading the release information when I upgraded from Stretch.
The Debian Wiki page says:
The purpose of unattended-upgrades is to keep the computer current with the latest security (and other) updates automatically.
Which to me implies that other updates are optional, but obviously not.
I have updated the post on automatic updates in XFCE. As I am currently using XFCE on Debian Testing, I have disabled updates to all packages by commenting out the line:
// "origin=Debian,codename=${distro_codename},label=Debian";
I have checked my Gnome installation on Debian Buster, and it also contains the line above, which means that "stable updates" are applied automatically. I've also updated my post on automatic updates in Gnome.
Interestingly, the Gnome Blog states that Gnome will not install updates automatically. unattended-upgrades is a system package and overrides Gnome in Debian, which explains why Gnome notifies me of available updates, but they often disappear before I can install them, with the exception of Chrome, whose repository is not included in unattended-upgrades. NB unattended-upgrades is triggered to run within a randomised period, so the time that update notifications, whether those displayed by default in Gnome, or by the options I described in XFCE (Conky, Genmon), may appear for a few minutes or a few hours before disappearing if you have unattended-upgrades installed.
I hope this post helps anybody struggling, like me, to work out how automatic updates happen in Debian. Apologies for any confusion caused previously.
