Friday, October 05, 2007

Updating Your Debian or Ubuntu Desktop Safely

Bruce Byfield wrote an article about the dangers of automatic updates at Linux.com. I agree with him that updates are often dangerous, however, I will say that after many years of updating systems running Debian "stable", I have not encountered any problems afterwards. After all, it's Debian's policy not to include any non-security updates in their stable branch. I don't take any chances, and run the updates manually (see my previous post on Remotely Administering Groups of Servers With Dsh and SSH for a way to run updates on many boxes at once), but still no problems. The one, big weakness of this policy over the years was that it excluded updates for packages that did need them - like Snort or ClamAV. With Debian volatile, this is no longer an issue.

My Ubuntu desktop, however, is another story. I tend not to update it unless I feel it is absolutely necessary - it usually isn't. With no services open to the world, security vulnerabilities will tend to be exposed via web or email, so important updates usually revolve around Firefox (I use mutt for email).

There's a couple of good ways on Debian or Ubuntu desktops to make updates a bit safer: You can select individual updates with the graphical update manager, or use apt-listchanges from a shell prompt. Using the update manager, you can not only select individual updates, you can also display detailed changelogs for the new version, so you can make an informed decision on whether or not to upgrade. Just select a package and click on the "Description of update" arrow.

Ubuntu Updates

Using the command line, let's say you just wanted to upgrade the 'tar' utility. Apt-listchanges gives us a similar functionality to the graphical update manager. First we have to install and configure it. The 'dpkg-reconfigure' step, below, will ask you a bunch of questions - the important ones are to have apt-listchanges display both changelogs and news, and to ask for confirmation before proceeding.

sudo apt-get update sudo apt-get install apt-listchanges sudo dpkg-reconfigure apt-listchanges
My /etc/apt/listchanges.conf is the following, this gets auto-generated after the 'sudo dpkg-reconfigure apt-listchanges' step, but you can certainly edit it by hand:

[apt] frontend=pager email_address=doug confirm=1 save_seen=/var/lib/apt/listchanges.db which=both
Now, after apt downloads the updated tar package, it will display a changelog, and ask for confirmation before updating:

doug@dev:~$ sudo apt-get install tar Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: tar 1 upgraded, 0 newly installed, 0 to remove and 112 not upgraded. Need to get 0B/322kB of archives. After unpacking 0B of additional disk space will be used. Reading changelogs... Done ... tar (1.16-2ubuntu0.1) feisty-security; urgency=low * SECURITY UPDATE: directory traversal with malicious tar files. * src/names.c: adjust dot dot checking, patched inline. * References CVE-2007-4131 ... apt-listchanges: Do you want to continue? [Y/n]?

No comments: