Linux Mint 18.1: how to tweak Update Manager

Back to the homepage




The protective level system of Linux Mint 18.1

1. The default settings of Update Manager are very cautious; that's a characteristic of Linux Mint. Stability first and foremost. In this, the Mint developers have done a magnificent job: on top of the already good quality control for updates (updates with bugs are rare), they've added an extra protective layer.

Mint namely applies a level system to its updates: only updates classified as level 1, 2 or 3 are enabled by default. Level 4 and 5 are disabled by default, at least in the two most commonly selected update policies in Linux Mint 18.1 Serena.

That's because potential regression bugs in level 1-3 updates, can never be fatal for your system. Updates that might theoretically contain fatal bugs (showstopper regression bugs that can make an entire system unusable) should all be level 4 and 5.

That's what the update level system was designed for: to protect you against showstopper regressions. Those are very rare, but it's worthwhile to protect yourself against even a very rare showstopper regression.

Nevertheless, just to be on the safe side, you should never apply any updates when you're in the middle of doing important work. That goes for level 1-3 updates as well. First finish your important work, then apply the available updates.

In the unlikely case that you ever get hit by a serious regression in a level 1-3 update, the motto is: just keep breathing, try to find a temporary workaround and wait for the new update that fixes it (usually within days).

Not for absolute beginners: tweaking the defaults

2. A golden rule in computing is: when in doubt, trust the defaults. Because they should be reasonable and sensible. But when you're getting a bit more experienced in Linux Mint, you might wish to change some default settings of Update Manager.

The level system is good and sound, although Ubuntu (on which Mint is built) is less cautious with its updates. And Ubuntu is also stable and reliable.

It might be worthwhile to make Mints Update Manager a little less cautious: that gives you the advantage of extra bug fixes and extra security updates.

Note: maybe you'd rather change nothing in Update Manager. That's OK, too. Without any changes you still have a secure system. Much more secure than Windows, for example....

It's therefore not at all necessary to change things. But it is important that you understand these aspects of Update Manager. That's why this is listed among the essential things to do.

So if you don't want to change the settings of Update Manager (yet), that's perfectly alright. But in any case I advise to read what's on this page, in order to get a better understanding of Update Manager.


You can tweak the settings of Update Manager in the following way:

Consider to enable security updates for level 4 and 5

3. Even security updates of level 4 and 5, aren't being shown by default in the most cautious update policy "Don't break my computer!" (they are shown in the second update policy "Optimize stability and security"). And in those two update policies they're not enabled by default, too.

The reason is the risk profile: for desktop users, practical security risks of security holes in level 4 and 5 packages, are usually low anyway. Whereas there's a certain (rather small) risk that updates from those levels might damage the stability of your system.

If you examine which updates are tagged level 4 and 5 (the levels that are disabled by default), you'll see that it concerns low-risk packages like bootloader Grub and your graphical system. Not high-risk packages like web browser Firefox, Adobe Flash Player and such.

These level 4 and 5 updates generally are being witheld because of their potential of causing big trouble in certain cases (pure Ubuntu included).

For example: an update for bootloader Grub, could result in a system that won't boot. Grub is an excellent example of a package that should only be updated in an existing installation, when that update would be of vital importance for that existing installation.

Nevertheless, if you wish to increase the security level a bit further, you can easily do that by switching your update policy. In the panel of Update Manager: Edit - Update policy.

I definitely do not recommend the third option, called "Always update everything". But the second option called "Optimize stability and security" is a reasonable choice for people who already have some experience with Linux Mint.

Note: if you're an absolute beginner with Linux, then it's better to select the first option called "Don't break my computer!". With that update policy you still have a secure system. Much more secure than Windows, for example....

The "Optimize stability and security" option only makes security updates for level 4 and 5 visible, but it doesn't enable them by default. If you find it convenient to have them enabled by default as well, this is how you do that:

Menu button - Administration - Update Manager
(Mint Xfce: Menu button - System - Update Manager)

Panel Update Manager: Edit - Preferences

Tab Options (first tab): tick:

Always select and trust security updates

Click the Apply button.

Note: do not tick "Always select and trust kernel updates"! Those updates are too invasive for that (more about that later). In fact, I even advise to turn them off altogether, by unticking "Always show kernel updates".

See the screenshot below (click on it to enlarge it):

https://sites.google.com/site/easylinuxtipsproject/20/Screenshot-updm-sarah.png

These "risky" updates only rarely cause problems, in my experience. Ubuntu, on which Mint is based, doesn't even make this risk distinction in the first place.

So where security updates are concerned, it's a reasonable choice to apply updates for level 4 and 5. For that, it suffices to tick the aforementioned option.

Note: do you have a laptop from before 2010? If it contains a wireless chipset from Broadcom, it's better not to enable security updates for level 5. Because then you run a big risk of losing your wireless connection. Level 4 has no effect on Broadcom. Newer Broadcom chipsets don't have this nasty problem, thankfully.

To be on the safe side, you may wish to keep ordinary updates for level 4 and 5 disabled. As is shown in the above screenshot.

Beware: if you're unlucky and your system does get messed up because of these updates, a clean re-installation is often the only solution...

Consider increasing the interval for checking for new updates

4. In the second place, you might want to change the interval settings for checking for new updates (in the tab Auto-Refresh). See the screenshot below (click on it to enlarge it):

https://sites.google.com/site/easylinuxtipsproject/20/Screenshot-updm-sarah2.png


The first check happens 10 minutes after booting and then every two hours. These are reasonable settings; I recommend to leave them as they are.

However, if you do wish to change them: leave in any case the initial check that happens after booting, unchanged at 10 minutes. But you can safely increase the consecutive checks a bit, for example to 8 hours.

(continued in the column on the right)


This website is being sponsored by Google Ads.

Are you using an ad blocker? Then you're also blocking my earnings from advertisements....

If you wish to support my website, you can configure your ad blocker to make an exception for this website.

Thanks in advance....


Consider installing kernel updates

5. In the third place you should consider whether you want to get updates for the kernel.

In the update policy "Don't break my computer!", kernel updates aren't enabled and aren't visible. The reason is again the risk profile: for desktop users, security risks for kernels are usually low anyway. Whereas there's definitely a certain risk that a new kernel might damage the stability of your system.

You can always check manually for new kernels from time to time, like this:

Launch Update Manager. In the toolbar of Update Manager: View - Linux kernels

Then a window pops up, with a warning against installing new kernels. This warning is a bit exaggerated: the risk of problems is certainly there, but it's not as big as the warning implies.

And you might not want to miss security fixes that are present in the newer kernel, even though security fixes for the kernel, usually only repair small risks.

If the newer kernel should ever cause problems for you, it's easy to boot from the old kernel and remove the new one. More about that in item 5.2 below.

Click "Continue" in the warning window in order to proceed. See the screenshot below (click on it to enlarge it):

https://sites.google.com/site/easylinuxtipsproject/20/Screenshot-updm-sarah3.png

Note: when you apply kernel updates: stay preferably within the kernel series for which your Linux Mint version has been primarily designed. Only try a higher series when your default kernel series doesn't work well on your machine. See the explanation in item 5.1 below.

Click on the button Install for the latest kernel within the series of your preference. Only for the latest within its series, because older versions are of no use.

Reboot your computer after the installation. Now your system is running on the latest kernel.

Stick to your kernel series

5.1. Only install kernels from the same series as the one that's default for your version of Linux Mint!

If your machine functions well on the default kernel series, I strongly advise to stick with it. Because your Mint version has been designed around the "engine" of a particular kernel series. Changing the "engine" to one from another series, might diminish stability and might introduce unexpected bugs.

So in the case of Linux Mint 18.1: select kernel 4.4.x, and only select a kernel from a higher series when your machine doesn't run well on the 4.4 kernels.

The kernel is the heart of your system: of course you want a system in which the heart cooperates well with the software around it....

Important exception: very new hardware might not run well on your current kernel series, because it doesn't contain the latest drivers. So for brand new hardware, it's the latest kernel series that's often the best choice.

How to revert a kernel update

5.2. In the rather unlikely case that a newer kernel causes problems for you, it's easy to boot from the old kernel and then remove the newer kernel:

a. reboot your computer;

b. in the Grub bootloader menu, select the second option called Advanced options for Linux Mint;

c. then boot from the original kernel;

d. launch Update Manager. In the toolbar of Update Manager: View - Linux kernels;

e. remove the latest kernel by pressing its button Remove;

f. finally reboot: all should be well again.

Security in Linux Mint versus security in Ubuntu: a conclusion

6. So all in all: for a desktop user, is Mint less secure than Ubuntu, which doesn't withhold any updates? Yes. By much? No.

Is Mint more stable than Ubuntu? Yes. By much? That depends on your hardware combination.

The price Mint pays for its extra stability, in the form of a small decrease in practical security, is therefore pretty low. It's a balanced choice that I think is reasonable. For beginners and for system administrators, Mint's way is a tremendous advantage.

Advanced users only: the text file that defines the level system

7. Addition for advanced users only: the level system that mintupdate applies, is defined in this file:
/usr/lib/linuxmint/mintUpdate/rules

All updates coming from packages.linuxmint.com (Mint-only packages from the developers of Linux Mint) are level 1 by default. Unless the name of an update package matches one of the rules in that text file, in which case that rule has priority.

All updates coming from upstream Ubuntu (the vast majority) are level 3 by default. Unless the name of an update package matches one of the rules in that text file, in which case that rule has priority.

If you know what you're doing(!), you can change the level system by editing the rules in that file. But I advise not to do that, because the default settings are reasonable and sensible.

To the content of this website applies a Creative Commons license.


Comments