[Q] Raspi: Is there any repository for security updates

in a standard Debian installation a repository for security updates is available, e.g.

http://security.debian.org stretch/updates main contrib

Is there any comparable repo for Raspi’s platform armhf?


Nope, sadly Raspbian does not have a security repo, but I guess the updates, shipped via Debian security repo, will be ported after some delay into the Raspbian main repo.

The security repos aim is only, that on production-critical systems, one can only apply the security-relevant APT package upgrades from the security repo, instead of applying all minor updates from main repo as well. This reduces the risk of issues due to package updates. Although in very most cases you want all of them, and there are very rarely issues. Generally running an apt upgrade on Debian/Raspbian stable (currently Stretch) can be considered as very stable and safe.

You can also install/configure unattended-upgrades that will install security updates for you


But once a week or so just run

# apt update && apt upgrade -y

And you should be good to go

Jep, but note that this does not more then apt update && apt upgrade, AFAIK, so will still apply from the main branch on Raspbian. But not 100% sure to be true.

And, more importantly, on DietPi we masked the required APT systemd time, since those randomly occur and block APT while running. This can lead to error messages and failing scripts, if those as well contain APT updates/upgrades.

If you want that feature, you need to:

systemctl unmask apt-daily.service
systemctl unmask apt-daily.timer
systemctl unmask apt-daily-upgrade.service
systemctl unmask apt-daily-upgrade.timer

And you need to know, that DietPi scripts might fail, if those attempt to run APT parallel to the systemd timers. But this should not be an issue, since you can usually choose to retry the APT step, if error prompts.

Actually my intention was to use Debian’s UnattendedUpgrades https://wiki.debian.org/UnattendedUpgrades, however I prefer to auto-update security patches only.

If Raspbian does not provide a security update it makes no sense to use UnattendedUpgrades here.

If I see the linked wiki correctly, then you can configure UnattendedUpgrades and choose which updates/upgrades to install. I guess on Raspbian this will be by default configured differently compared to Debian, due to missing dedicated security repo. But not sure honestly.

Yeah, if you want auto upgrades for security updates only, then I think this is indeed not possible on Raspbian. I also prefer to run APT upgrades only when I watch the terminal, so I can see what’s going on.

This is exactly what I think.