Frequently Asked Question

How do unattended security updates work, and should I enable them?

On a default Ubuntu or Debian server, the unattended-upgrades package is installed and configured to fetch and apply security updates automatically once a day. It is driven by two systemd timers: apt-daily.timer runs apt update to refresh the indices, and apt-daily-upgrade.timer runs the unattended-upgrades script that installs only updates from the -security pocket. The configuration lives in /etc/apt/apt.conf.d/50unattended-upgrades and /etc/apt/apt.conf.d/20auto-upgrades, and detailed logs end up in /var/log/unattended-upgrades/. Fedora has a similar mechanism in dnf-automatic, controlled by the dnf-automatic.timer systemd unit.

For production servers exposed to the internet, the answer is almost always yes, enable it, the gap between a CVE being announced and being exploited at scale is now hours, and the cost of an out-of-hours human running apt upgrade is rarely worth the marginal control. The known risk is that a security update occasionally breaks something at an inconvenient moment. Mitigations are: pin a small set of truly critical packages with apt-mark hold; configure Unattended-Upgrade:: Automatic-Reboot "false" so you choose the reboot window; and keep a recent snapshot or backup so you can roll back. For developer workstations, the same mechanism keeps you patched without thinking about it.