On a Ubuntu 12.04 webserver we´re sending a nigthly report about upgrades for this machine running a cron with upgrade in dry run
apt-get update && upgrade --dry-run
In past we created a snapshot and after that run all of the upgrades. A bit worried that an upgrade could break something we´re now thinking about not upgrading every package apt-get tells us. This brings confusion which is the best way to go.
Questions:
it common to upgrade every package apt-get tells us? - or only to defined packages
apt-get install --only-upgrade packagename
If we only upgrade defined packages will apt-get still care about dependencies?
If it´s adviseable to not run every available upgrade for this machine is it better to run only defined upgrades as written above or to hold back packages with:
apt-mark hold package_name
If none of them is best practise (define or hold packages) is it adviseable to check for security upgrades only with
apt-get -s dist-upgrade |grep "^Inst" |grep -i securi
and run them with
apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install
