josefwhen i update software. i never notice anything changing in a good way. ever! like ive never seen software update and been like "thanks, thats a great new feature!" the exception of maybe twice, this has never happened? i don't think i've even noticed a bug fix either. i only ever see bad new updates to everything. annoying things they (re)moved. breaking changes. stuff no longer works. customizations i spent ages on no longer have any effect. settings get ignored. stuff breaks. updates are bad
i think i only want my package manager to update things when there's a CVE. is there a way to make this happen. theres like 146 package updates every week. they can't all be critical security fixes can they? do i have to hire an intern to go through them
électeur médian québécois
Will 💜@jk I think this is called "using an LTS distro"
foldl@jk I don't think there's a way to make that happen. Debian stable promises this, but that won't catch even every security update:
yomimono, still on land@jk yum claims you can search packages by CVE (and bugzilla ID), IIRC. I remember discovering this because the number of human hours you’d need to throw into making that work made it seem very improbable that it does
Adelie@jk My guess is It Depends®, mostly on your package manager. unattended-upgrades has a security tag. Or you could go full nerd and use a scraper on mitre, bounce it off your installed packages and install that way.
Eventually, you'll end up stuck on the most secure LTS from 8 years ago with a bunch of manually compiled libs etc and at that point you should probably have just installed BSD and been done with it. Ask me how I know...
@adelie this is where my server is right now, so i guess i should have gone with BSD after all…
RAOF@jk if you're using Ubuntu you can disable the “updates” repository and leave the “security” repository enabled². That's a supported configuration and will get you what you want¹.
Pick an LTS base and you'll only need to upgrade every 5 or so years.
¹: mostly. There are some things, like web browsers, that we can't reasonably backport only security fixes to.
²: I'm pretty sure you can do this from the “software sources” GUI, but I generally poke the configuration files myself.