this post was submitted on 01 May 2026
141 points (96.7% liked)

Linux

65096 readers
872 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
141
Turns out I have been updating wrong all this time! 🤦🏼 (the.unknown-universe.co.uk)
submitted 6 days ago by TheIPW@lemmy.ml to c/linux@lemmy.ml
43 comments fedilink hide all child comments
 

I’ve been running my home lab since 2021 and honestly thought my update routine was solid: apt update && apt upgrade, reboot, job done.

Turns out I was wrong. I was checking CVE‑2026‑31431 (Copy Fail) this morning and realised that despite my “successful” updates, I was still running a vulnerable kernel from March.

I’ve had to rethink how I handle host updates. If you’re relying on a standard upgrade and a reboot to keep Proxmox or Debian hosts safe, you might want to check if yours is lying to you as well.

all 44 comments
sorted by: hot top controversial new old
[–] faith@lemmy.ml 6 points 4 days ago

pacman -Syu goes brrr

[–] ShortN0te@lemmy.ml 26 points 5 days ago (1 children)

When a kernel update requires a change in dependencies, something Proxmox kernels do frequently, apt just quietly “keeps back” the package. It doesn’t fail, it doesn’t break the system, and it doesn’t trigger a rollback. It just waits for me to notice.

This should save a click for hopefully everyone.

Yes obviously, if you do not update the packages then they do not get updated.

If you do not read the output of a command then you will not notuce that.

[–] paris@lemmy.blahaj.zone 16 points 5 days ago (1 children)

The standard upgrade command has this behavior though, which is unexpected to people like me and the author. You need a specific flag to tell apt to actually upgrade everything which is not the behavior I expected.

[–] ShortN0te@lemmy.ml 1 points 5 days ago (2 children)

But it is clearly stated in the output that it holds back packages.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com -1 points 1 day ago (1 children)

Sure in the gigantic wall of text. Also it doesn't tell you why, or what to do about it. All they'd have to do is say "run dist-upgrade to update these packages."

[–] ShortN0te@lemmy.ml 1 points 1 day ago

Sure in the gigantic wall of text. Also it doesn't tell you why, or what to do about it. All they'd have to do is say "run dist-upgrade to update these packages."

It is literally in the summary that gets presented in the last few lines before you have to press Y to continue.

Since you are already overwhelmed by the wall of text, you would probably not read the suggestion antways.

[–] BrightCandle@lemmy.world 34 points 6 days ago (1 children)

apt dist-upgrade is a necessary change to your process in place of just upgrade.

[–] mcheva@lemmy.dbzer0.com 3 points 5 days ago (1 children)

I may be wrong but I think it's apt-get dist-upgrade. apt full-upgrade does the same too.

[–] ATS1312@lemmy.dbzer0.com 9 points 5 days ago (1 children)

apt-get is now deprecated on Debian and Ubuntu. But otherwise, no notes.

[–] redditmademedoit@piefed.zip 1 points 4 days ago (1 children)

So "apt-dist-upgrade" then? Sorry if obtuse.

[–] Quibblekrust@thelemmy.club 4 points 4 days ago (1 children)

apt dist-upgrade. No first dash.

Notice it's apt not apt-get. That's all they were saying.

[–] otter@lemmy.ca 15 points 5 days ago

I cross posted this to !selfhosted@lemmy.world, I hope that was ok! I figured it would be good to spread the knowledge

[–] actionjbone@sh.itjust.works 12 points 6 days ago (1 children)

Thanks for sharing this. I'm very confident with Linux, but I hadn't thought about this!

Your blog post was concise, too. I hate scrolling forever before finding the solution.

[–] TheIPW@lemmy.ml 6 points 6 days ago

Glad you found it useful. I'm the same, I can't stand those long posts that make you read a life story before getting to the commands, even worse when a page is riddled by ads or behind a paywall!

I figured if I’d missed it, a few other people probably had too.

[–] fratermus@piefed.social 5 points 5 days ago

apt just quietly “keeps back” the package. It doesn’t fail, it doesn’t break the system, and it doesn’t trigger a rollback. It just waits for me to notice. Since I wasn’t looking at the list of upgradable packages

Depends on what quietly means. To me it means "with no indication". Any written warning is quiet, I guess, if one is not reading it.

[–] immobile7801@piefed.social 5 points 5 days ago

I had a similar experience with this vulnerability. I had no idea another command was required to update the kernel. Kind of odd if you ask me, but i'm sure they did it so you're forced to realize you're updating the kernel.

[–] racketlauncher831@lemmy.ml 7 points 5 days ago

This is specific to Debian and Ubuntu so why not being more specific in the title?

[–] mech@feddit.org 6 points 5 days ago* (last edited 5 days ago) (1 children)

I've been running Debian since 2007 and never understood the point of apt upgrade .
When I update, I want the updated version for everything on my system.
I don't want to arbitrarily hold back packages just because a dependency changed. I'll decide for myself if that's an issue in my deployment. And Debian is generally very good at keeping everything running exactly the same way between releases.

I pin the release by name (not "stable") and then apt dist-upgrade always.

[–] Slashme@lemmy.world 2 points 5 days ago (1 children)

I've always been doing apt dist-upgrade. What's the difference between dist-upgrade and full-upgrade?

[–] mech@feddit.org 3 points 5 days ago

none.

[–] Akrenion@slrpnk.net 1 points 4 days ago

There’s no point in digital hoarding; it just clutters the boot partition and makes future updates messier.

I feel personally attacked.

[–] SchwertImStein@lemmy.dbzer0.com 4 points 5 days ago* (last edited 5 days ago) (1 children)

Would apt-get images of apt have saved you?

[–] TheIPW@lemmy.ml 4 points 5 days ago

No, apt isn’t just a rename. apt upgrade largely replaces apt-get upgrade, but it’s a bit more aggressive: it may install new packages if required as dependencies (it still won’t remove packages). If an upgrade needs to remove packages to resolve dependencies, use apt full-upgrade (same as apt-get dist-upgrade).

[–] hendrik@palaver.p3x.de 6 points 6 days ago* (last edited 5 days ago)

Shouldn't the upgrade also update the bootloader's default entry to a new kernel? The way I've been doing it was apt update && apt dist-upgrade. And then reboot once every 1 to 2 years if I feel like it, am bored, or there's all these news articles about a severe bug in the kernel.

[–] boredsquirrel@slrpnk.net 4 points 6 days ago (2 children)

Uhm, you dont update the host OS??

[–] TheIPW@lemmy.ml 2 points 6 days ago (1 children)

Why?

[–] boredsquirrel@slrpnk.net 2 points 6 days ago

Shouldnt an updater run on the host? And Debian should always update the kernel with apt?

[–] yesman@lemmy.world 1 points 6 days ago (1 children)

I'm the same way. My Debian server is two versions out of date, but it's still getting security updates and works, so why in the world would I upgrade?

[–] boredsquirrel@slrpnk.net 3 points 6 days ago (1 children)

Because the kernel and packages are severely outdated, only getting urgent patches

[–] RichardNixos@lemmy.ml 1 points 5 days ago (1 children)

This seems to me like a pretty urgent patch

[–] boredsquirrel@slrpnk.net 4 points 5 days ago

Yes but there are tons of others that dont get CVEs lol

[–] alsimoneau@lemmy.ca 1 points 5 days ago

Yay!

[–] chgxvjh@hexbear.net 1 points 6 days ago (2 children)

Yeah, apt is an unwieldy piece of shit.

[–] gary_host_laptop@lemmy.ml 2 points 6 days ago (3 children)

is this specific to apt? dnf or pacman dont suffer from this?

[–] thurstylark@lemmy.today 2 points 5 days ago (1 children)

I don't know about dnf, but pacman doesn't do this by default. The only way to hold back packages is by writing it in the configuration.

[–] ranzispa@mander.xyz 2 points 1 day ago

dnf has a MUCH nicer interface than apt. Pacman is a completely different beast, but will basically just install anything you ask it no problems regardless of whether that will brick your device or not. I still don't get why you need all that update && upgrade thing. How many users want to upgrade without resolving the repositories before that?

[–] chgxvjh@hexbear.net 2 points 6 days ago

I don't know for certain but this seems pretty apt specific.

[–] TheIPW@lemmy.ml 1 points 6 days ago

I've not come across this with my non Debian based systems. Only use Debian for servers because it's so stable, Arch and Fedora everywhere else!

[–] SocialistVibes01@lemmy.ml 0 points 6 days ago (1 children)

I'd say Python is instead.

[–] chgxvjh@hexbear.net 2 points 6 days ago (1 children)

?

[–] SocialistVibes01@lemmy.ml 3 points 6 days ago

I'm sorry, wrong thread.