How do you use apt-get to only install critical security updates on ubuntu?

I read the apt-get man page carefully when I got tired of manually editing the sources.list every time I wanted to only apply security updates (that means the second time).

Figured this solution out:

sudo cp /etc/apt/sources.list /etc/apt/security.sources.list

Edit the latter to contain only security repositories, then:

sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

Tadaaaa... Scriptable stuff.

Try the unattended-upgrades or any of the other methods listed here. It can be used to configure automatic security updates (I believe it's used when asked during the installer) as well as other upgrades automatically. See the man pages for more details.

If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s| grep ^Inst |grep Security 

I don't know if it will work, but apt has it's sources in /etc/apt/sources.list and/or /etc/sources.list.d/

Why not edit the file, and comment all lines that are not part of the security updates ?

The security lines for apt should be something like this:

deb http://security.ubuntu.com/ubuntu ..... ..... ...

Leave those lines alone and comment all the others.

What I do:

apt-get update
apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )