Upgrading Debian Linux to a specific patch level

bobah

5/9/23, 10:35 AM

I have a few dozens of Debian boxes which I want to keep up to date in a deterministic fashion, and also follow the Engineering => Pre-Prod => Prod routine with a deterministic staging process.

Ideal world for me would be to have some sort of 'patch level ID' at hand, like 2022-01-10.e28de15cc1 and be able to say apt upgrade --to 2022-01-10.e28de15cc1, but I've not found anything remotely similar.

I probably can hash the output of apt list --installed after upgrading the first box and simulate the concept, but am really wondering why no one has done it, is my mental model of keeping penguins tidy completely off here?

408

0 + 0

debian

update

apt

Score:8

Server

Martin

5/9/23, 11:13 AM

As far as I know, an apt repository does not have a global ID referring to a certain version numbers of all packages. You could create a list of package versions, distribute it to all servers, and create a script to fetch those specific versions. But such a script is "error-prone", and you get in trouble if that specific version has been deleted from the repository.

The easiest way to achieve this is probably if you would setup your own repository (or three, if you'd like to keep engineering / pre-prod / prod at different levels), and whenever you'd like to update, you'd have to update the repo server first, and afterwards the connected servers...

0 + 0

bobah

5/9/23, 11:50 AM

Right now I run it with a JFrog apt proxy to have deterministic cut lines. But feels really backwards.

Score:0

Server

Journeyman Geek

5/9/23, 9:58 PM

I suspect that in practice - most people don't need 'all' their packages at a precise/'deterministic' upgrade level. They need some critical ones and the tools exist to do that.

That said, hashing the output of apt list --installed is probably the 'right' first step.

For 'local'/testing use, apt will let you install a specific version with apt-get install packagename=version and you can hold the package. This is probably not the right approach when its a large number of systems

While I (vaguely) recall legacy unixes and other OSes having patch levels, with the internet, and distributed software development, It makes a lot less sense. The tools do however exist for one to build a deterministic system build tho.

The right way would be to use your config management tool, then use that to install specific versions of software for that role. Ansible will do it, for example.

0 + 0

bobah

5/10/23, 12:30 AM

I don’t care much what specific versions are for most of the packages, but I care that what I’ve tested in the engineering lab is EXACTLY the same as pre-prod and later prod. Ansible can help it look declarative and obfuscate the fact of apt-get presence, but it does not make any difference other that. Patch level is not “old days”, it’s just an overall version of the package repository (like commit ID in svn or commit hash in Git). It would be extremely useful.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Upgrading Debian Linux to a specific patch level

TH: การอัปเกรด Debian Linux เป็นระดับแพตช์เฉพาะ

RO: Actualizarea Debian Linux la un anumit nivel de corecție

RU: Обновление Debian Linux до определенного уровня исправления

VI: Nâng cấp Debian Linux lên một mức bản vá cụ thể

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.