I switched from Ubuntu to Debian so that I don’t need to update the code name every time a new release comes out. With the help of Unattended-upgrade (u-u), I can keep the system up to date with too much manual intervention.

Package Sources & Preference

1
2
3
4
5
6
7
$ cat /etc/apt/sources.list
deb http://deb.debian.org/debian testing main contrib non-free
deb http://deb.debian.org/debian unstable main contrib non-free

deb http://security.debian.org/debian-security testing-security main

deb http://deb.debian.org/debian testing-updates main contrib non-free

Since it contains both unstable and testing releases, it’s better to prefer packages in testing when a package exist in both releases, which can be achieved easily with a larger priority score for testing release. Note that we are using priority 50 for packages from unstable release, which ensures that packages from unstable release will not be upgraded via apt upgrade or commands alike. Installing/upgrading packages is usually rather safe, but mixing packages from different releases is like cruising in the uncharted territory, which shouldn’t be taken lightly. Therefore, I disable (semi) auto upgrading for packages from unstable. One can go for manual upgrading using apt install <package_name>/sid.

1
2
3
4
5
6
7
8
$ cat /etc/apt/preferences
Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 50

Occasionally, we might want to know what packages are installed from one specific release, e.g. unstable:

1
2
$ apt-show-versions | grep unstable
conky:all/unstable 1.10.8-1 uptodate

u-u configs

As for staying updated, u-u has been working quite alright mostly with the following configs. However, when it does not, I run sudo apt dist-upgrade, which seems to get me out of trouble.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ cat /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

$ cat /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
"o=Debian,a=testing";
"o=Debian,a=testing-updates";
"o=Heroku,a=stable";
"site=dl.bintray.com";
};

Unattended-Upgrade::Package-Blacklist {
// auto upgrading the kernel seems a bit too adventurous
"linux-";
};

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

APT timers

List apt-related timers:

1
2
3
$ systemctl list-timers | grep apt
Mon 2020-12-21 03:03:49 CET 12h left Sun 2020-12-20 06:00:34 CET 8h ago apt-daily.timer apt-daily.service
Mon 2020-12-21 06:56:10 CET 16h left Sun 2020-12-20 06:23:34 CET 7h ago apt-daily-upgrade.timer apt-daily-upgrade.service

apt-daily.timer decides when to download upgradeable packages, and apt-daily-upgrade.timer decides when to perform upgrade/cleanup. Since my network connection is rather slow, I prefer downloading happens during night, so I override the default apt-daily.timer with:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo systemctl edit apt-daily.timer

# use the following content in the editor
[Unit]
Description=Daily apt download activities

[Timer]
OnCalendar=
OnCalendar=*-*-* 3:00
RandomizedDelaySec=10m
Persistent=true

[Install]
WantedBy=timers.target

Then, we can confirm that our new config works fine with systemctl status apt-daily.timer, the next trigger is around 3:00` next day.

References