Scenario / Questions

I often log into my Ubuntu 12.04.2 server (with Postgres 9.2.4 running with live production data) and see something akin to:

4 packages can be updated.
4 updates are security updates.

This happens about every few days, of course. I’m not interested in automatic updates (the fewer things I can have changing when I’m asleep, the better), but I am interested in always keeping my server up to date, so my question is: When I see output such as that, is it always considered safe to run apt-get upgrade, or are there times when it can break things. I understand that patches are not always perfect (hence the quoted “always” in the title), but as a general rule, is it assumed safe to run this (esp given this is a database server vs something that just serves CSS files via Nginx)?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Generally, yes this is safe. For critical packages, though (Postgres, Nginx, etc.), I’d recommend pinning those packages to a specific version so that they do not get updated. When Postgres gets updated, for instance, it will restart the database server, which is something you want to be able to schedule around planned downtime.

That said, it’s always best to test upgrades on a staging server before promoting them to production, so that’s something to think about adding to your deployment process.

Suggestion: 2

Aptitude has easier to remember commands: aptitude safe-upgrade vs. aptitude full-upgrade. It is still a good idea to install apt-listchanges so that you will be given information about the changes in the updated packages and the option to cancel the upgrade.

Suggestion: 3

Yes and no.
Most applications are OK, but some applications may not be too happy to be upgraded.

I have seen examples where applications using java from 1.6.29 to 1.6.30 breaks the application.
Also seen mysql breaking between 5.0.X 5.0.X+1 (Dont remember the exact numbers here).

System applications should be mostly OK, but you should read carefully the release notes of the applications that your server is actually providing.

Read what nginx changes, try to understand if there are any changes that may affect your particular setup.
The more advanced you use an application, the more easy it is to break.