Russell Coker wrote:
On Fri, 14 Sep 2012, "Trent W. Buck" <trentbuck@gmail.com> wrote:
My rule of thumb (for production gear) is: unless it fixes a bug YOU care about, or adds a feature YOU need, leave it the hell alone. Because new code = new bugs.
If the people who maintain your distribution do a good job then it's really not that bad.
$coworker *did* point out to me that when I can easily distinguish security updates from <everything else>, I usually install the former with abandon. Specifically, the Debian and Ubuntu -security repos. I tend to use unattended-upgrades for that, partly because I never remember the aptitude limit to match only security updates: ~U~S~VCANDIDATE~Alucid-security
When a new kernel version comes out I generally upgrade all DomUs that have direct user access (all web servers etc) immediately.
I guess we have different classes of users. Most of the time I'm dealing with servers that only/mainly point inwards at an office LAN, where users are assumed to be benign.
It's not to hard to upgrade [the kernel on] them and the risk is too great to do otherwise.
Too risky security-wise or reliability-wise?
For packages that aren't really mission critical I install all updates as a matter of routine. Presumably when Debian pushes an update for OpenOffice or something they have a good reason for doing so and the potential consequences of the upgrade not working generally aren't that bad.
When I look at the changelog, it's very often something that matters to Debian but not to me, e.g. "fix typos in esperanto localization".