proxy70

# Updating Your Debian or Ubuntu Desktop Safely

Bruce Byfield wrote an article about [the dangers of automatic
updates][1] at Linux.com. I agree with him that updates are often
dangerous, however, I will say that after many years of updating
systems running Debian "stable", I have not encountered any problems
afterwards. After all, it's Debian's policy [not to include any
non-security updates in their stable branch][2].

I don't take any chances, and run the updates manually, but still no
problems. The one, big weakness of this policy over the years was
that it excluded updates for packages that did need them - like
Snort or ClamAV. With [Debian volatile][3], this is no longer an
issue.

My Ubuntu desktop, however, is another story. I tend not to update
it unless I feel it is absolutely necessary - it usually isn't. With
no services open to the world, security vulnerabilities will tend to
be exposed via web or email, so important updates usually revolve
around Firefox (I use mutt for email).

There are a couple of good ways on Debian or Ubuntu desktops to make
updates a bit safer: You can select individual updates with the
graphical update manager, or use apt-listchanges from a shell
prompt. Using the update manager, you can not only select individual
updates, you can also display detailed changelogs for the new
version, so you can make an informed decision on whether or not to
upgrade. Just select a package and click on the "Description of
update" arrow.

Using the command line, let's say you just wanted to upgrade the
'tar' utility. Apt-listchanges gives us a similar functionality to
the graphical update manager. First we have to install and configure
it. The 'dpkg-reconfigure' step, below, will ask you a bunch of
questions - the important ones are to have apt-listchanges display
both changelogs and news, and to ask for confirmation before
proceeding.

```
sudo apt-get update sudo apt-get install apt-listchanges
sudo dpkg-reconfigure apt-listchanges
```

My /etc/apt/listchanges.conf is the following, this gets
auto-generated after the 'sudo dpkg-reconfigure apt-listchanges'
step, but you can certainly edit it by hand:

```
[apt]
frontend=pager
email_address=thinknix
confirm=1
save_seen=/var/lib/apt/listchanges.db
which=both
```

Now, after apt downloads the updated tar package, it will display a
changelog, and ask for confirmation before updating:

```
thinknix@dev:~$ sudo apt-get install tar
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded: tar
1 upgraded, 0 newly installed, 0 to remove and 112 not upgraded.
Need to get 0B/322kB of archives.
After unpacking 0B of additional disk space will be used.
Reading changelogs... Done ...
tar (1.16-2ubuntu0.1) feisty-security; urgency=low
* SECURITY UPDATE: directory traversal with malicious tar files.
* src/names.c: adjust dot dot checking, patched inline.
* References CVE-2007-4131
.... apt-listchanges: Do you want to continue? [Y/n]?
```

[1]: http://www.linux.com/feature/119162
[2]: http://www.us.debian.org/doc/FAQ/ch-getting.en.html#s-updatestable
[3]: http://www.debian.org/volatile/