Security is not a binary variable, but managed in terms of risk. Update your stuff, don’t expose it to the open Internet if it doesn’t need it, and so on. If it’s a server, it should probably have unattended upgrades.
If it’s a server, it should probably have unattended upgrades.
Interesting opinion, I’ve always heard that unattended upgrades were a terrible option for servers because it might randomly break your system or reboot when an important service is running.
There are two schools of thought here. The “never risk anything that could potentially break something” school and the “make stuff robust enough that it will deal with broken states”. Usually the former doesn’t work so well once something actually breaks.
That only applies to unstable distros. Stable distros, like debian, maintain their own versions of packages.
Debian in particular, only includes security patches and changes in their packages - no new features at all.* This means risk of breakage and incompatibilitu is very low, basically nil.
*exceot for certain packages which aren’t viable to maintain, like Firefox or other browsers.
Both my Debian 12 servers run with unattended upgrades. I’ve never had anything break from the changes in packages, I think. I tend to use docker and on one even lxc containers (proxmox), but the lxc containers also have unattended upgrades running.
Do you just update your stuff manually or do you not update at all? I’m subscribed to the Debian security mailing list, and they frequently find something that means people should upgrade, recently something with the glibc.
Debian especially is focused on being very stable, so updating should never break anything that wasn’t broken before. Sometimes docker containers don’t like to restart so they refuse, but then I did something stupid.
I used to check the cockpit web interface every once in a while, but I’ve tried to enable unattended updates today. It doesn’t actually seem to work, but I planned on switching to Nix anyway.
I don’t use Cockpit, I just followed the Debian wiki guide to enabling unattended upgrades. As fast as I remember you have to apt install something and change a few lines in the config file.
It’s also good to have SMTP set up, so your server will notify you when something happens, you can configure what exactly.
Security is not a binary variable, but managed in terms of risk. Update your stuff, don’t expose it to the open Internet if it doesn’t need it, and so on. If it’s a server, it should probably have unattended upgrades.
Interesting opinion, I’ve always heard that unattended upgrades were a terrible option for servers because it might randomly break your system or reboot when an important service is running.
There are two schools of thought here. The “never risk anything that could potentially break something” school and the “make stuff robust enough that it will deal with broken states”. Usually the former doesn’t work so well once something actually breaks.
That only applies to unstable distros. Stable distros, like debian, maintain their own versions of packages.
Debian in particular, only includes security patches and changes in their packages - no new features at all.* This means risk of breakage and incompatibilitu is very low, basically nil.
*exceot for certain packages which aren’t viable to maintain, like Firefox or other browsers.
Not having automated updates can quickly lead to not doing updates at all. Same goes for backups.
Whenever possible, one should automate tedious stuff.
Thanks for the reminder to check my backups
Both my Debian 12 servers run with unattended upgrades. I’ve never had anything break from the changes in packages, I think. I tend to use docker and on one even lxc containers (proxmox), but the lxc containers also have unattended upgrades running.
Do you just update your stuff manually or do you not update at all? I’m subscribed to the Debian security mailing list, and they frequently find something that means people should upgrade, recently something with the glibc.
Debian especially is focused on being very stable, so updating should never break anything that wasn’t broken before. Sometimes docker containers don’t like to restart so they refuse, but then I did something stupid.
I used to check the cockpit web interface every once in a while, but I’ve tried to enable unattended updates today. It doesn’t actually seem to work, but I planned on switching to Nix anyway.
I don’t use Cockpit, I just followed the Debian wiki guide to enabling unattended upgrades. As fast as I remember you have to apt install something and change a few lines in the config file.
It’s also good to have SMTP set up, so your server will notify you when something happens, you can configure what exactly.