Turns out I have been updating wrong all this time! 🤦🏼
I’ve been running my home lab since 2021 and honestly thought my update routine was solid: apt update && apt upgrade, reboot, job done.
Turns out I was wrong. I was checking CVE‑2026‑31431 (Copy Fail) this morning and realised that despite my “successful” updates, I was still running a vulnerable kernel from March.
I’ve had to rethink how I handle host updates. If you’re relying on a standard upgrade and a reboot to keep Proxmox or Debian hosts safe, you might want to check if yours is lying to you as well.
https://the.unknown-universe.co.uk/tech-stories/update-conundrum/Open linkView original on lemmy.ml138
Comments35
apt dist-upgrade is a necessary change to your process in place of just upgrade.
I may be wrong but I think it's apt-get dist-upgrade. apt full-upgrade does the same too.
apt-get is now deprecated on Debian and Ubuntu. But otherwise, no notes.
So "apt-dist-upgrade" then? Sorry if obtuse.
apt dist-upgrade. No first dash.Notice it's
aptnotapt-get. That's all they were saying.Thanks!
This should save a click for hopefully everyone.
Yes obviously, if you do not update the packages then they do not get updated.
If you do not read the output of a command then you will not notuce that.
The standard upgrade command has this behavior though, which is unexpected to people like me and the author. You need a specific flag to tell apt to actually upgrade everything which is not the behavior I expected.
But it is clearly stated in the output that it holds back packages.
Nothing of what you said is on topic. I never said linux is for everyone and so on....
First, its about server administration. Second, I am neither saying that this behavior is good or bad.
I am saying that the behavior is clearly stated in the output. Or what else does "packages were held back" mean.
Blaming ignorance in reading the output prompt on the tools is really childish.
I think you got my point. Not sure why you feel the need to try to discuss another discuasion topic with me.
No its not. And again, I never said apt is good or perfect or bad.
I am fully aware, it is not like i ever had to dig down and resolve dependency hell.
But it is something different if you say that tools could be made better, than writing a whole article with a click bait title on "How i ignored the output of my package manager".
Sure in the gigantic wall of text. Also it doesn't tell you why, or what to do about it. All they'd have to do is say "run dist-upgrade to update these packages."
It is literally in the summary that gets presented in the last few lines before you have to press Y to continue.
Since you are already overwhelmed by the wall of text, you would probably not read the suggestion antways.
I cross posted this to [email protected], I hope that was ok! I figured it would be good to spread the knowledge
Thanks for sharing this. I'm very confident with Linux, but I hadn't thought about this!
Your blog post was concise, too. I hate scrolling forever before finding the solution.
Glad you found it useful. I'm the same, I can't stand those long posts that make you read a life story before getting to the commands, even worse when a page is riddled by ads or behind a paywall!
I figured if I’d missed it, a few other people probably had too.
pacman -Syugoes brrrThis is specific to Debian and Ubuntu so why not being more specific in the title?
I've been running Debian since 2007 and never understood the point of
apt upgrade.When I update, I want the updated version for everything on my system.
I don't want to arbitrarily hold back packages just because a dependency changed. I'll decide for myself if that's an issue in my deployment. And Debian is generally very good at keeping everything running exactly the same way between releases.
I pin the release by name (not "stable") and then
apt dist-upgradealways.I've always been doing apt dist-upgrade. What's the difference between dist-upgrade and full-upgrade?
none.
Shouldn't the upgrade also update the bootloader's default entry to a new kernel? The way I've been doing it was apt update && apt dist-upgrade. And then reboot once every 1 to 2 years if I feel like it, am bored, or there's all these news articles about a severe bug in the kernel.
Depends on what quietly means. To me it means "with no indication". Any written warning is quiet, I guess, if one is not reading it.
I had a similar experience with this vulnerability. I had no idea another command was required to update the kernel. Kind of odd if you ask me, but i'm sure they did it so you're forced to realize you're updating the kernel.
Would apt-get instead of apt have saved you?
No, apt isn’t just a rename. apt upgrade largely replaces apt-get upgrade, but it’s a bit more aggressive: it may install new packages if required as dependencies (it still won’t remove packages). If an upgrade needs to remove packages to resolve dependencies, use apt full-upgrade (same as apt-get dist-upgrade).
Uhm, you dont update the host OS??
Why?
Shouldnt an updater run on the host? And Debian should always update the kernel with apt?
I'm the same way. My Debian server is two versions out of date, but it's still getting security updates and works, so why in the world would I upgrade?
Because the kernel and packages are severely outdated, only getting urgent patches
This seems to me like a pretty urgent patch
Yes but there are tons of others that dont get CVEs lol
I feel personally attacked.
Yay!