Can I do Security and Important updates only?

Hello everyone,

I just upgraded a couple of my computers from Leap to Tumbleweed and I’m overwhelmed by the amount of updates and reboots needed. Is there a way to just update important security fixes and leave the non important updates to the weekend?

Thanks and Best regards,

Perhaps you should have stayed with Leap. Yes, there is a lot more updating with Tumbleweed than with Leap.

That said – you do not have to update immediately.

I have Tumbleweed running in a virtual machine. And I update that whenever I see updates are available. That’s probable 3-5 times per week.

I also have Tumbleweed on real hardware. And I only ever update that on Saturday. I turn off the update applet. For what I am doing with that computer, once per week is sufficient. And, actually, on one computer I do it only once per two weeks.

Thanks for your reply. What do you do about the occasional important security updates? You just defer them as well?


I monitor the factory mailing list

If there’s an urgent security issue, it is usually reported there. And then I decide whether to do an immediate update. Most of the time, it isn’t really that urgent, and then I wait until my next scheduled update.

Postpone the upgrades until you really need them or a really bad CVE is reported for software installed on your systems. I maintain several Tumbleweed installations, upgrading one as often as possible and some only when badly needed. Upgrading is the same smooth experience for both extremes.

Like others say, you can give security problems reported as “important” you own evaluation. E.g. when there is a vulnarability through an attack from the internet, you may want to access if your home LAN has an open port for that particular attack and if you are running any programs that are vulnarable. Also, many vulnarabilities can only be exploited from the system itself. When you do not have a user population of students or hack loving kids, that might not be inmportant to you. Etc.

Thanks for that, I subscribed to that list.
I went through all the messages from this month (52 so far) and noticed 2 things:

  1. The recommended course of action for all vulnerabilities was to apply a patch. So is it safe to assume that I can ignore updates until I see a patch listed?
  2. Almost all the vulnerabilities found are for Leap & Sle and nothing for Tumbleweed. How come? My leap installation gets very few updates per month, nothing close to 52. And how come Tumbleweed is never listed? Is the fast and constant update of the packages just replaces the old vulnerable ones so there’s no need?

Thanks and Best regards,

There are no patches for Tumbleweed, every dup is a new snapshot/release…

TW and Leap have a very different approach.

Leap is offered as a stable release. Not only stable in the sense of “does not break”, but also stable in “does not provide new versions of programs, thus when you are used to a program, it will work the same tomorrow as today”. The OSS and non-OSS repos are the version, they do not change after release date. Security and recommended are provided (often retrofitted) as, what zypper calls, Patches. They go into the Update-OSS and Update-non-OSS repos. Many however also call them by the generic term Updates. You can install then with zypper patch, or with YaST Online-Update. Youcan also do a zypper up, which will include the available Pastches. However this also will update newer version of other repos you have (like Packman). Some people like to do Patches and “real” updates in one go and use zypper up.

Tumbleweed is a rolling distribution. All the time new version of packages will be included. This will give you new features, but also maybe changed interfaces,etc. These new versions are integral tested with the then up-to-date TW. Of course, security patches rae pusshed through the process with priority. All then ends up in frequent new TW versions. From the viewpoint of zypper they are a new version of the whole Operatinfg system, and thus to be installed with zypper dup. BTW, because security patches are treated the same as other new versions of packages, you will find aempt Update repos with TW.

As @nrickert said in post #2 above, “Perhaps you should have stayed with Leap”. But I have no ideawhy you choose to make the step from Leap to TW.

Tumbleweed has by default two options: dist-upgrade and snapper rollback. Transactional Updates with btrfs and snapshots are available:

Thanks for the explanation. I failed to install Leap on my new laptop a few months ago and TW installed and works great. Had to reinstall my desktop a couple of weeks ago after a disk failure and decided to go with TW again since lots of the applications I use are old in the Leap repo and to have consistent application versions on both computers.