Linux Patch Management: How Debian does it

Last week, we looked at the importance of Patch Management

and keeping up to date with the most recent happenings in software bugs/fixes. I

suggested a variety of sources from which the most recent alerts can be found

and a variety of ways in which to receive this information (Web sites like

SecurityFocus, Mailing lists and RSS feeds).

It’s unpractical and unrealistic to expect that

administrators should patch source code, recompile, and reinstall each time a

patch is released; this would take most of the administrators’ time and prove a

never-ending battle (the number of Linux admins sectioned to prevent self harm

would go through the roof!). Considering this, what options are provided for

solving this problem? Let’s take a look at the Debian-based distributions (from

now on, by Debian, I refer to any

Debian-based distribution) and see how they handle this.

The name of Debian’s package/update manager says it all, apt. The dictionary description

is close: ‘1. Exactly suitable; appropriate: an apt reply.’ 2. Quick

to learn or understand: an apt student.’ However Wikipedia gets it spot on. APT

stands for ‘Advanced Packaging Tool’. The main tools used are apt-get and apt-cache; the former allows

installation, cache updates, upgrades, and removal of packages. All

dependencies are calculated, and the user is prompted to approve any additional

packages required to solve these dependencies. The latter tool, apt-cache can be used to search the

cache (generated with ‘apt-get update’) of available packages and show

information about specified packages. Let’s see them in action:

Great! Installing/removing packages just got a whole lot

easier—dependency hell is no more. How about updating a package which has been

upgraded, or installing a security patch? APT has a file called sources.list. Funnily enough, this file

contains a list of sources—one of which is

breezy-security. Here, any critical updates and/or patches released by the

security team are uploaded; when you run apt-get

update, details of these patches are downloaded, then apt-get upgrade will show you which patches are due to be installed

on your system, and ask for approval to go ahead and apply them, as you see


It’s that easy—I really like the APT set of update tools, they couldn’t be much simpler or more effective.

One thing we need to keep in mind is that Debian isn’t a

commercially-supported distribution; as such, this means there is no SLA relating to the frequency of updates or reaction

speed to potential vulnerabilities once they become public knowledge. The Debian security team claim that most

problems are corrected within 48 hours of being brought to their attention.

Security advisories are posted to the debian-security-announce

mailing list—patches are added to the ‘security’ APT source once available. Patches will continue to be

released for one year once a distribution's stable successor has been released.

Packages are also signed to allow their authenticity to be scrutinised.
Next week, I will take you through a commercial

distribution of Linux and see how they deal with patching and updating


Editor's Picks

Free Newsletters, In your Inbox