Staying Current with Your Distribution's Security Updates

Keeping software up to date is the first lesson for beginning Linux administrators. Jeremy covers how to do it with the most popular update tools, click by click.
Debian 3.0 (Woody)

Advanced Package Tool (APT) is where you probably will do most of your command-line package management in Debian. APT uses a list of repositories with available packages. If there is a newer package version in the repository's Package list, APT downloads the package and hands the process over to dpkg. First, make sure you have the security update source in your sources.conf file. It should read:

deb stable/updates main

Instead of the word stable, you might have woody instead, but either will do. After editing the sources.conf file, you also need to update your available package list. To update and then upgrade them, run the apt-get two-step:

# apt-get update
# apt-get upgrade

This upgrades only packages that do not require modifications to other packages. To upgrade packages that do require some sort of dependencies, run:

# apt-get update
# apt-get -u dist-upgrade

The -u switch shows exactly which packages will be upgraded, newly installed or removed. You can set these lines to run from the crontab and have your machine download, but not install, the latest packages you need. A command to put in your crontab file might look like:

(apt-get update && apt-get -dy upgrade) \
| mail -s "`hostname` update" root

This command downloads the list of the latest packages and, if successful, downloads the packages that need to be updated. It sends the results by e-mail to the root user. Substitute your user name or e-mail address as necessary. When you receive e-mail notifying you that there are updates, you can run:

# apt-get upgrade

This installs the previously downloaded packages allowing you to be present at the console or terminal. Some package upgrades require additional user input, so it may not be wise to run a completely automated upgrade solution.

Available on the GUI side for Debian users, Synaptic is a complete front end to dpkg. To run Synaptic, go to the Debian menu in your desktop environment and select Apps→System→Synaptic Package Manager. Synaptic works much the same as APT. To update your list of available packages, click the Reload button at the top left of the window. A window list of mirror locations updates you on the status of the package list download. When Synaptic finishes downloading the package lists, you can view all available upgrades. Packages that need to be upgraded have a green box and an arrow pointing up. Newly available packages have a yellow star on the box. Installed packages have a green box, and not installed packages have a white box.

To download and install all package updates, click the Apply button. You then are prompted with a window detailing which packages will be upgraded, installed, kept back or removed (Figure 1). Kept back means that the package would require other dependencies that were not stated specifically. Clicking Apply begins downloading the updates. Following the download process, the updates will install in a terminal-like text box, allowing you to answer questions if needed. When finished, click the Close button (Figure 2).

Figure 1. Synaptic Showing the Applications to Be Modified

Figure 2. Synaptic after All Upgrades Have Been Performed

Mandrake 10.0

When installing Mandrake 10.0, one of the final steps before the first login is to check for any critical updates. If you are installing this distribution from scratch, this would be a great step. However, what do you do now that Mandrake is installed, and you need a patch for a security hole?

Mandrake 10.0 users have a nice GUI package management application called rpmdrake. You can find it by clicking on the KDE star menu and selecting System→Configuration→Packaging→Mandrake Update. You also can run rpmdrake as root on the command line. Answer a couple of questions, and then you are presented with a list of packages that need updating due to security updates (Figure 3). To update all of them, click in the box on the All line, then press the Install button, and grab your favorite beverage!

Figure 3. rpmdrake's List of Available Package Upgrades

After downloading and installing all updates, you are presented with a dialog box letting you know everything has been installed. It's that easy.

The command-line urpmi package was installed with my stock installation of Mandrake 10.0. urpmi acts much like APT, allowing you to use multiple sources to update packages. These repositories can be accessed by CD-ROM, a local RPM directory or an FTP or HTTP Internet source. For our purpose of installing security updates, we want to run something like the following command:

# urpmi.addmedia --update updates \ \
with ../base/

This adds security updates from an FTP mirror to your list of sources. You need to substitute the ftp:// URL with a real mirror. The Web site Easy urpmi gives you a nice Web interface to choose your nearest mirror, your architecture and from which source pools you'd like to download updates.

To update the list of available packages and then install all package updates, do the urpmi two-step:

# urpmi.update -a
# urpmi --auto-select

You then are prompted to install the updated packages and any dependencies, if necessary.