$ Linux One Liners
Back to lessons

Cybersecurity Triage

Preview Security Impact of dist-upgrade

A regular upgrade leaves packages behind and you need to preview the broader resolver plan without installing it.

Command

apt-get -s dist-upgrade | awk '/^Inst/ {print}'

What changed

Nothing changes. apt-get simulates dist-upgrade and awk lists proposed package installations or upgrades.

Danger

safe

When to use it

Use when kernel, libc, or dependency-chain security fixes are kept back by the normal upgrade path.

When not to use it

Do not run the real dist-upgrade casually; review removals, new packages, and service impact first.

Undo or recovery

No undo needed because the command is read-only simulation.

Expected output

Inst rows showing the broader package resolver plan, including security-origin kernel or library updates.

demo script

Disposable terminal steps

  1. apt-get -s dist-upgrade
  2. apt-get -s dist-upgrade | awk '/^Inst/ {print}'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ apt-get -s dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  linux-image-6.8.0-63-generic
The following packages will be upgraded:
  libc6 linux-image-generic openssl
3 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst libc6 [2.39-0ubuntu8.4] (2.39-0ubuntu8.5 Ubuntu:24.04/noble-security [amd64])
Inst linux-image-6.8.0-63-generic (6.8.0-63.66 Ubuntu:24.04/noble-security [amd64])
Inst linux-image-generic [6.8.0-60.63] (6.8.0-63.66 Ubuntu:24.04/noble-security [amd64])
Inst openssl [3.0.13-0ubuntu3.5] (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
::exit-code::0
$ apt-get -s dist-upgrade | awk '/^Inst/ {print}'
Inst libc6 [2.39-0ubuntu8.4] (2.39-0ubuntu8.5 Ubuntu:24.04/noble-security [amd64])
Inst linux-image-6.8.0-63-generic (6.8.0-63.66 Ubuntu:24.04/noble-security [amd64])
Inst linux-image-generic [6.8.0-60.63] (6.8.0-63.66 Ubuntu:24.04/noble-security [amd64])
Inst openssl [3.0.13-0ubuntu3.5] (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
::exit-code::0

YouTube Short

Preview the broader patch plan.

If normal upgrade keeps packages back, simulate dist-upgrade before deciding whether the maintenance window is big enough.

LinkedIn hook

Kernel and dependency security fixes may only appear in the broader upgrade plan.

Question: When do you escalate from apt upgrade to a broader dist-upgrade review?

experiments

A/B tests to run

Metric: average_view_duration

A: Kernel patches may need broader review.

B: Preview dist-upgrade before approving it.