Page 1 of 1

[Q] Raspi: Is there any repository for security updates

Posted: Wed Jan 23, 2019 2:39 pm
by 74cmonty
Hi,
in a standard Debian installation a repository for security updates is available, e.g.

Code: Select all

http://security.debian.org stretch/updates main contrib
Is there any comparable repo for Raspi's platform armhf?

THX

Re: [Q] Raspi: Is there any repository for security updates

Posted: Wed Jan 23, 2019 3:34 pm
by MichaIng
Nope, sadly Raspbian does not have a security repo, but I guess the updates, shipped via Debian security repo, will be ported after some delay into the Raspbian main repo.

The security repos aim is only, that on production-critical systems, one can only apply the security-relevant APT package upgrades from the security repo, instead of applying all minor updates from main repo as well. This reduces the risk of issues due to package updates. Although in very most cases you want all of them, and there are very rarely issues. Generally running an apt upgrade on Debian/Raspbian stable (currently Stretch) can be considered as very stable and safe.

Re: [Q] Raspi: Is there any repository for security updates

Posted: Wed Jan 23, 2019 4:24 pm
by WarHawk
You can also install/configure unattended-upgrades that will install security updates for you

https://wiki.debian.org/UnattendedUpgrades

But once a week or so just run

Code: Select all

# apt update && apt upgrade -y
And you should be good to go

Re: [Q] Raspi: Is there any repository for security updates

Posted: Wed Jan 23, 2019 5:00 pm
by MichaIng
Jep, but note that this does not more then apt update && apt upgrade, AFAIK, so will still apply from the main branch on Raspbian. But not 100% sure to be true.

And, more importantly, on DietPi we masked the required APT systemd time, since those randomly occur and block APT while running. This can lead to error messages and failing scripts, if those as well contain APT updates/upgrades.

If you want that feature, you need to:

Code: Select all

systemctl unmask apt-daily.service
systemctl unmask apt-daily.timer
systemctl unmask apt-daily-upgrade.service
systemctl unmask apt-daily-upgrade.timer
And you need to know, that DietPi scripts might fail, if those attempt to run APT parallel to the systemd timers. But this should not be an issue, since you can usually choose to retry the APT step, if error prompts.

Re: [Q] Raspi: Is there any repository for security updates

Posted: Sun Jan 27, 2019 7:54 pm
by 74cmonty
Actually my intention was to use Debian's UnattendedUpgrades https://wiki.debian.org/UnattendedUpgrades, however I prefer to auto-update security patches only.

If Raspbian does not provide a security update it makes no sense to use UnattendedUpgrades here.

Re: [Q] Raspi: Is there any repository for security updates

Posted: Sun Jan 27, 2019 9:33 pm
by MichaIng
If I see the linked wiki correctly, then you can configure UnattendedUpgrades and choose which updates/upgrades to install. I guess on Raspbian this will be by default configured differently compared to Debian, due to missing dedicated security repo. But not sure honestly.

Yeah, if you want auto upgrades for security updates only, then I think this is indeed not possible on Raspbian. I also prefer to run APT upgrades only when I watch the terminal, so I can see what's going on.

Re: [Q] Raspi: Is there any repository for security updates

Posted: Sun Jan 27, 2019 10:08 pm
by 74cmonty
MichaIng wrote: Sun Jan 27, 2019 9:33 pm If I see the linked wiki correctly, then you can configure UnattendedUpgrades and choose which updates/upgrades to install. I guess on Raspbian this will be by default configured differently compared to Debian, due to missing dedicated security repo. But not sure honestly.

Yeah, if you want auto upgrades for security updates only, then I think this is indeed not possible on Raspbian. I also prefer to run APT upgrades only when I watch the terminal, so I can see what's going on.
This is exactly what I think.