Linux Mint: optimize Update Manager

Back to the homepage

The protective level system of Linux Mint 18.2 Sonya

1. The default settings of Update Manager are very cautious; that's a characteristic of Linux Mint. Stability first and foremost. In this, the Mint developers have done a magnificent job: on top of the already good quality control for updates (updates with bugs are rare), they've added an extra protective layer.

Mint namely applies a level system to its updates: there are five levels. The higher the level, the bigger the stability risks.

Only updates classified as level 1, 2 or 3 are enabled by default. Level 4 is (partly) disabled by default, at least in the two most commonly selected update policies in Linux Mint 18.2 Sonya. Level 5 is disabled and invisible in all update policies.

That's because potential regression bugs in level 1-3 updates, can never be fatal for your system. Updates that might theoretically contain fatal bugs (showstopper regression bugs that can make an entire system unusable) should all be level 4 and 5.

That's what the update level system was designed for: to protect you against showstopper regressions. Thankfully those are very rare, but.... it's worthwhile to protect yourself against even a very rare showstopper regression.

Nevertheless, just to be on the safe side, you should never apply any updates when you're in the middle of doing important work. That goes for the level 1-3 updates as well. First finish your important work, then apply the available updates.

In the unlikely case that you ever get hit by a serious regression in a level 1-4 update, the motto is: just keep breathing, try to find a temporary workaround and wait for the new update that fixes it (usually within days).

Absolute beginners: trust the defaults

2. A golden rule in computing is: when in doubt, trust the defaults. Because they should be, and usually are, reasonable and sensible. But when you're getting a bit more experienced in Linux Mint, you might wish to change some default settings of Update Manager.

The level system is good and sound, although Ubuntu (on which Mint is built) is less cautious with its updates. And Ubuntu is only a bit less stable and reliable.

It might be worthwhile to make Mints Update Manager a little less cautious: that gives you the advantage of extra bug fixes and extra security updates.

Note: maybe you'd rather change nothing in Update Manager. That's OK, too. Without any changes you simply have a secure system. At the utmost you'll be missing some ordinary updates that aren't security-related.

It's therefore not at all necessary to change things. But it is important that you understand these aspects of Update Manager. That's why this is listed among the essential things to do.

So if you don't want to change any settings of Update Manager (yet), that's perfectly allright. But in any case I advise to read what's on this page, in order to get a better understanding of Update Manager.

Level 1, 2 and 3: Good updates. Always install them

3. First the safest levels, namely 1, 2 and 3. They're easy to understand: you'll always want to install those, because otherwise you'll miss important bug fixes and security fixes.

Even level 3 updates are still very low-risk to install, so just install them!

The developers of Linux Mint would like you to review level 3 updates before installing them (meaning: check the Linux Mint forum for problem reports concerning these updates). Theoretically, they're right.

But as I've learned in my decade of experience with Linux Mint and Ubuntu, that's in real life simply not practical or even useful for level 3. With some extremely rare exceptions, that are so rare that they don't need to be considered at all.

So I advise to make sure that all level 3 updates are always visible and always preselected:

Update Manager - panel: Edit - Preferences - section Levels

For level 3, ensure that both categories (Visible and Selected) are ticked. See the screenshot below (click on it to enlarge it):

Level 5: Bad updates. Never install them!

4. Now a quick jump to level 5. That level is also easy to understand: it's simply a a "secure" parking space for known bad apples coming from upstream (Ubuntu). They should never be installed, under any circumstances.

The developers of Linux Mint park these bad apples for you under level 5, until Ubuntu releases a fixed version. In all three update policies you won't notice anything of that: this is all happening behind the scenes.

So it's very easy: just never install level 5 updates. And don't make them visible: they're both useless and dangerous. This "parking lot" is very rarely used anyway.

Level 4 updates: handle with care

5. Now level 4, which is more complicated.

By default, all security updates of level 4 are visible but not preselected in the most cautious update policy "Just keep my computer safe", nor in the intermediate update policy "Let me review sensitive updates".

The reason is the risk profile: for desktop users, practical security risks of security holes in level 4 packages, are usually low anyway. So there's normally no hurry to update them. Whereas there always is a certain (rather small) danger, that updates from that level might severely damage the stability of your system.

If you examine which updates are tagged level 4 (the level that's -partly- disabled by default), you'll see that it concerns low-risk packages like bootloader Grub and your login manager LightDM. Not high-risk packages like web browser Firefox, Adobe Flash Player and such.

As said, these level 4 updates are treated differently because of their potential of causing big trouble in certain rare cases.

Those "risky" updates only rarely cause problems, in my experience. Ubuntu, on which Mint is based, doesn't even make this risk distinction in the first place. And Ubuntu is only a bit less reliable and stable than Mint. But rarely is not never....

For example: an update for bootloader Grub, could result in a system that won't boot. Grub is an excellent example of a package that only really needs to be updated in an existing installation, when that update would be of vital importance for that existing installation.

So you can postpone these level 4 updates until a convenient time when you've no hurry.

That's precisely the intention of the Linux Mint developers: they want you to install them, but one by one and not as part of the regular update batch.

Reboot your computer after each individual level 4 update, so that if a problem would arise, you'll know exactly which update caused it. Which makes troubleshooting and recovery assistance easier.

If you wish to increase the amount of level 4 updates a bit further, in order to include ordinary bug fixes as well, you can easily do that by switching your update policy. In the panel of Update Manager: Edit - Update policy.

I definitely do not recommend the third option, called "Always update everything". But the second option called "Let me review sensitive updates" is a reasonable choice for people who already have some experience with Linux Mint. This will make ordinary bug fixes (not security related) for level 4 packages visible as well.

Note: if you're an absolute beginner with Linux, then it's better to select the first option called "Just keep my computer safe". With that update policy you simply have a secure system. You'll only miss out on some ordinary updates that aren't security related.

The "Just keep my computer safe" update policy makes all security updates for level 4 visible, including kernel updates. If you find it convenient to make the invasive kernel updates invisible (for example if you don't want to break a driver that you've installed manually), this is how you do that:

Menu button - Administration - Update Manager
(Mint Xfce: Menu button - System - Update Manager)

Panel Update Manager: Edit - Preferences

Tab Options (first tab): untick:

Always show kernel updates

.... and of course make sure that also is unticked:

Always select kernel updates

Click the Apply button.

See the screenshot below (click on it to enlarge it):

Note: do you have a laptop from before 2010? If it contains a wireless chipset from Broadcom, it's better not to enable any updates for level 4. Because then you run a risk of losing your wireless connection. Newer Broadcom chipsets don't have this nasty problem, thankfully.

Beware: if you're unlucky and your system does get messed up because of a level 4 update, a clean re-installation is sometimes the only solution...

(continued in the column on the right)

This website is being sponsored by Google Ads.

Are you using an ad blocker? Then you're also blocking my earnings from advertisements....

If you wish to support my website, you can configure your ad blocker to make an exception for this website.

Thanks in advance....

Consider increasing the interval for checking for new updates

6. Furthermore, you might want to change the interval settings for checking for new updates (in the tab Auto-Refresh). See the screenshot below (click on it to enlarge it):

The first check happens 10 minutes after booting and then every two hours. These are reasonable settings; I recommend to leave them as they are.

However, if you do wish to change them: leave in any case the initial check that happens after booting, unchanged at 10 minutes. But you can safely increase the consecutive checks a bit, for example to 8 hours.

Optionally, select a mirror server

7. The servers that provide you with updates, might disappoint you: sometimes they might be very slow. In that case you might achieve better results with a mirror server near you.

This is how to change to a (or another) mirror server:

Update Manager - panel: Edit - Software sources - section Official repositories

Mirrors: change this for Main (sonya), by clicking on the address of the current server. Make your choice and click Apply.

Note: mirrors always have a delay of a couple of hours, when compared with the contents of the main server. That's inevitable. If you ever get a notification that the information on the mirror is outdated, don't change your mirror immediately, but simply try again after a few hours.

Consider installing kernel updates

8. You should consider whether you want to get updates for the kernel.

In the first two update policies, kernel updates aren't preselected but only visible. The reason is again the risk profile: for desktop users, security risks for kernels are usually low anyway. Whereas there's definitely a certain risk that a new kernel might damage the stability of your system.

In the Preferences (Update Manager - panel: Edit - Preferences - Options) you can always disable the visibility of kernel updates. In that case, when you want to install a particular kernel update anyway, you can always check manually for new kernels, like this:

Launch Update Manager. In the toolbar of Update Manager: View - Linux kernels

Then a window pops up, with a warning against installing new kernels. This warning is a bit exaggerated: the risk of problems is certainly there, but it's not as big as the warning implies.

And you might not want to miss security fixes that are present in the newer kernel, even though security fixes for the kernel, usually only repair small risks.

If the newer kernel should ever cause problems for you, it's easy to boot from the old kernel and remove the new one. More about that in item 8.2 below.

Click "Continue" in the warning window in order to proceed. See the screenshot below (click on it to enlarge it):

Note: when you apply kernel updates: stay preferably within the kernel series for which your Linux Mint version has been primarily designed. Only try a higher series when your default kernel series doesn't work well on your machine. See the explanation in item 8.1 below.

Click on the button Install for the latest kernel within the series of your preference. Only for the latest within its series, because older versions are of no use.

Reboot your computer after the installation. Now your system is running on the latest kernel.

Stick to your kernel series

8.1. Only install kernels from the same series as the one that's default for your version of Linux Mint!

If your machine functions well on the default kernel series, I strongly advise to stick with it. Because your Mint version has been designed around the "engine" of a particular kernel series. Changing the "engine" to one from another series, might diminish stability and might introduce unexpected bugs.

So in the case of Linux Mint 18.2: select kernel 4.8.x, and only select a kernel from a higher series when your machine doesn't run well on the 4.8 kernels.

The kernel is the heart of your system: of course you want a system in which the heart cooperates well with the software around it....

Important exception: very new hardware might not run well on your current kernel series, because it doesn't contain the latest drivers. So for brand new hardware, it's the latest kernel series that's often the best choice.

How to revert a kernel update

8.2. In the rather unlikely case that a newer kernel causes problems for you, it's easy to boot from the old kernel and then remove the newer kernel:

a. reboot your computer;

b. in the Grub bootloader menu, select the second option called Advanced options for Linux Mint;

c. then boot from the original kernel;

d. launch Update Manager. In the toolbar of Update Manager: View - Linux kernels;

e. remove the latest kernel by pressing its button Remove;

f. finally reboot: all should be well again.

Security in Linux Mint versus security in Ubuntu: a conclusion

9. So all in all: for a desktop user, is Mint less secure than Ubuntu, which never withholds any updates? Yes. By much? No, just a little.

Is Mint more stable than Ubuntu? Yes. By much? That depends mainly on your hardware combination.

The price Mint pays for its extra stability, in the form of a small decrease in practical security, is therefore pretty low. It's a balanced choice that I think is reasonable. For beginners and for system administrators, Mint's way is a tremendous advantage.

Advanced users only: the text file that defines the level system

10. Addition for advanced users only: the level system that mintupdate applies, is defined in this file:

All updates are level 2 by default. Unless the name of an update package matches one of the rules in that text file, in which case that rule has priority.

If you know what you're doing(!), you can change the level system by editing the rules in that file. But I advise not to do that, because the default settings are reasonable and sensible.

To the content of this website applies a Creative Commons license.