I’m having trouble staying on top of updates for my self hosted applications and infrastructure. Not everything has auto updates baked in and some things you may not want to auto update. How do y’all handle this? How do you keep track of vulnerabilities? Are there e.g. feeds for specific applications I can subscribe to via RSS or email?

  • slazer2au@lemmy.worldEnglish
    11·
    7 months ago

    Does badly count as a way?

    I kinda keep an eye on that https://selfh.st/ post that does a weekly roundup of stuff to know when I need to do patching.

    No doubt there is a container I could run that would do it for me. I just can’t remember the name of it.

  • enumerator4829@sh.itjust.worksEnglish
    3·
    7 months ago

    Unless you have actual tooling (i.e. RedHat erratas + some service on top of that), just don’t even try.

    Stop downloading random shit from dockerhub and github. Pick a distro that has whatever you need packaged, install from the repositories and turn on automatic updates. If you need stuff outside of repos, use first party packages and turn on auto updates. If there aren’t any decent packages, just don’t do it. There is a reason people pay RedHat a shitton of money, and that’s because they deal with much of this bullshit for you.

    At home, I simply won’t install anything unless I can enable automatic updates. Nixos solves much of it. Two times a year I need to bump the distro version, bump the nextcloud release, and deal with depreciations, and that’s it.

    I also highly recommend turning on automatic periodic reboots, so you actually get new kernels running…

  • N0x0n@lemmy.mlEnglish
    2·
    7 months ago

    For my docker containers I use what’s up docker which not only alerts me when there is an update but also give a link to the changes, so I can have a look what’s happening !

    For my system itself… Just doing sudo pacman -Syu. Though that’s not great, cause some updates can potentially break my EndeavourOS system… I keep sometimes an eye on the forum when I see some critical changes like the kernel itself or nvidia updates though.

  • sugar_in_your_tea@sh.itjust.worksEnglish
    2·
    7 months ago

    I just update every month or two, or whenever I remember. I use Docker/podman, and I set the version to whatever minor release I’m using, and manually bump after checking the release notes to look for manual upgrade steps.

    It usually takes 5 min and that’s with doing one at a time.

  • ShortN0te@lemmy.mlEnglish
    1·
    7 months ago

    Most critical infrastructure like my mail i subscribe to the release and blog rss feed. My OSs send me Update notifications via Mail (apticron), those i handle manual. Everything else auto updates daily.

    You still need to check if the software you use is still maintained and receives security updates. This is mostly done by choosing popular and community drive options, since those are less likely to get abandoned.

  • vegetaaaaaaa@lemmy.worldEnglish
    1·
    7 months ago

    upgrades:

    • distribution packages: unattended-upgrades
    • third party software: subscribe to the releases RSS feed (in tt-rss or rss2email), read release notes, bump version number in my ansible playbook, run playbook, done.

    vulnerabilities:

    • debsecan for distribution packages
    • trivy fort third-party applications/libraries/OCI images
    • wazuh for larger (work) setups