Zwettler Markus (OIZ) <Markus.Zwettler@xxxxxxxxxx> writes: > Hi Marco, > > > > How do you handle these conflicts? No longer updating that regularly or not at all anymore? > Not doing the updates is a poor option due to the potential security vulnerabilities this may lead to. Likewise, delaying the application of updates is going to increase risks as well. In fact, we have found such approaches can make the situation worse. Delaying updates tends to result in more updates being applied at once, which makes it harder to identify problems when they do occur. I think the best approach is to apply updates as soon as possible. Apply the updates to a test or uat environment (or your dev environment if you don't have a test/uat/staging one). If there are issues, resolve them before applying the updates in prod. We have found it rare for updates to be an issue if your running the packages from the distribution. Problems seem to be more common when your running packages sourced from an external repository which may lag behind changes made by the distribution. When issues do occur, we look at the type of update e.g. security, bug fix, bump in dependency versions, new version etc and make a call as to the priority and respond accordingly. This may mean delaying applying the update, actively working to resolve the issue with investigations and debugging, raising an issue/bug with the package maintainers etc. We also classify all our systems, services, databases etc according to whether they are core business processes or supporting processes. We apply updates to supporting systems before core systems. This also affects when we apply updates. For example, we would not apply updates to a core system on Friday afternoon. In fact, we may apply updates to core systems outside main business hours. If issues are encountered when applying updates to core systems, resolution of those issues are highest priority. For secondary systems, we are more likely to do the updates during business hours, will accept longer outages/down times and may not make resolution of issues the highest priority.
