I have GNU/Linux Debian Servers (Etch/Lenny) in production. I want theses systems to stay up to date. I have installed apticron with tells me what packet needs an upgrade. What is the good practice for production servers and stable releases of debian:
- always upgrade all packets (risky or not on debian stable?) OR
- only apply security updates (enough or not?)
Thanks!
I usually make every update on the stable branch, no problems for years and years even passing from a release to another.
My servers live with a daily, manually run, upgrade-system (great tool) and they have been updated and upgraded from Woody to Lenny quite simply.
Of course I do not make the updates via cron, I get only the updates availability this way.
In case of core packages such as glibc I first test the update on a non production machine, of course.
PS: I strongly recoment upgrade-system, as it runs deborphan too and helps to keep the system up to date and clean at the same time
My 2 cents
Edit:
Note that inside a given release (Lenny for examples), could perfectly be a "sub-release", say 5.0-r1, 5.0-r2 and so on.
As reported in the wikipedia page on Debian, a stable release can be updated to fulfill security and/or usability issues:
"stable, presently aliased lenny, is the current release that has stable and well tested software. Stable is made by freezing testing for a few months where bugs are fixed in order to make the distribution as stable as possible; then the resulting system is released as stable. It is updated only if major security or usability fixes are incorporated."
The short answer to asdmin's opposition is that it is perfectly possible to have non security related updates even inside the same major stable release
once you got a Debian stable release installed (etch,for your example) you will not have anything but security fixes to install. Debian's policy is not to change/upgrade the softwares within a given release but just provide a fix for problems which has been discovered between two releases.
by the way, I wouldn't let anything do the upgrade but myself. A malformed install/init script will make your system unavailable in a minute, therefore you can and shall use download helpers, but do not let the upgrade process go unsupervised.
In this similar question there's an answer pointing to the very promising apt-dater program, where you can manage updates and install packages from a central location with a ncurses interface.
I have started using cron-apt after I asked a similiar question and have found it to be quite useful.
Cron-apt downloads the updates and can send an e-mail when there are new differences so that you can manually upgrade.
I currently have it set up so that it checks for new updates every night and mails me the when there are new updates to be installed.
I only download and install updates for stable packages and usually do a short check on the release notes (if any) so that I know what I am actually upgrading.