Contents of this page:
- 1. Absolute beginners: trust the defaults, but know your options
- 2. Smart protection against bad apples
- 3. Locking the most vital system parts: the reasons
- 4. Consider increasing the interval for checking for new updates
- 5. Warning: DO NOT enable automatic updates (but do consider automatic cleaning)
- 6. Select a mirror server
- 7. Stick to your kernel series
- 8. Two kinds of kernels: LTS kernels and HWE kernels
- 9. How to revert a kernel update
Absolute beginners: trust the defaults, but know your options
1. A golden rule in computing is: when in doubt, trust the defaults. Because they should be, and usually are, reasonable and sensible. But in Linux Mint you can have a fine-grained control over your updates. Which offers some considerable benefits.Note: maybe you're an absolute beginner and you'd rather change nothing in Update Manager. That's OK, too. It's not at all necessary to change things. But it is important that you understand some aspects of Update Manager. That's why this is listed among the essential things to do.
So if you don't want to change any settings of Update Manager (yet), that's perfectly allright. But in any case I advise to read what's on this page, in order to get a better understanding of this very important tool.
Smart protection against bad apples
2. The default settings of Update Manager are cautious; that's a characteristic of Linux Mint. Stability first and foremost. In this, the Mint developers have done a magnificent job: on top of the already good quality control for updates (updates with bugs are rare), they've added an extra protective layer.This protective layer relies by default heavily on your making system snapshots with Timeshift. A bit too heavily, if you ask me....
Timeshift is indeed a fine tool, but it has its limitations. One of them being that it can require a lot of disk space. This space requirement is of course dependent on the way that you use your system (did you perhaps install some update-happy Flatpaks?) and on the frequency with which you make those system snapshots (my advice: once every six months, or if you insist on a higher frequency: monthly, with a retention of just two snapshots).
However, thankfully there's a way to implement another protection that allows you to prevent problems caused by updates, instead of just "curing" them by means of Timeshift. Namely a smart use of apt-mark. Below I'll explain how to do that.
Locking the most vital system parts: the reasons
3. Important system parts are bootloader Grub, linux-firmware, the microcode packages and the Linux kernel.Even without Update Manager you can (preferably temporarily) lock or freeze those to their current versions. That way, they can't be damaged by a faulty update ("bad apple"). Those bad apples are thankfully rare, but they do happen occasionally.
Note that this does have some negative impact on system security, but usually not much. The security-critical packages which should always be updated right away, are things like your web browsers (Firefox, Chrome) and such. Not your boot loader or kernel.
The reason is their risk profile: for desktop users, practical security risks of vulnerabilities in those vital system parts, are usually low anyway. So there's normally no hurry to update them. Whereas there always is a certain (albeit rather small) danger, that updates for them might severely damage the stability of your system (showstopper regression bugs that can make an entire system unusable).
For example: an update for bootloader Grub, might result in a system that won't boot. Grub is an excellent example of a package that only really needs to be updated in an existing installation, when that update would be of vital importance for that existing installation.
So you can postpone those updates until a convenient time when you're in no hurry. That's precisely the intention of this freezing measure: it allows you to separate potentially risky updates from the regular update batch and to install them at a time that suits you.
The typical use case is, when you're the system administrator for the machines of digitally handicapped people who live far away. Then it's convenient to apply it, as this'll reduce the times that you'll have to go over there to help them with computer problems.
Those are the reasons for locking the system's vitals. Below, in item 3.1, you'll find the how-to.
Locking the most vital system parts: the how-to
3.1. Enough said about the reasons for locking. This is how to lock Grub, linux-firmware, the microcode packages and the Linux kernel:a. Make sure that all applications that use apt (Update Manager, Software Manager, Synaptic Package Manager, Software Sources etc.) are closed.
b. Launch a terminal window.
(You can launch a terminal window like this: *Click*)
c. Now copy/paste the following command into the terminal (this is one huge line, don't chop it up!):
sudo apt-mark hold "grub-*" "grub2*" "linux-generic*" "linux-headers-generic*" "linux-image-generic*" "linux-signed-generic*" "linux-signed-image-generic*" linux-firmware intel-microcode amd64-microcode
Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even asterisks will show when you type it, that's normal. In Mint this has changed: you do see asterisks. Press Enter again.
d. You're done! If you wish to check which packages have been put on hold, you can use this terminal command, for which no root permission (sudo) is required:
apt-mark showhold
Press Enter.
e. Below, in item 3.2, I'll describe how to undo it (whenever you wish to apply updates for the vital system parts).
Undoing the locking of vital system parts: the how-to
3.2. At any time you can easily unfreeze the vital system parts that you've locked as described above in item 3.1. For unfreezing do this:a. Launch Timeshift and create a one-time snapshot. That way, you can always reverse the system if the unlocking has disruptive effects. When Timeshift is done, close it.
b. Make sure that all applications that use apt (Update Manager, Software Manager, Synaptic Package Manager, Software Sources etc.) are closed.
c. Launch a terminal window.
(You can launch a terminal window like this: *Click*)
d. Now copy/paste the following command into the terminal (this is one huge line, don't chop it up!):
sudo apt-mark unhold "grub-*" "grub2*" "linux-generic*" "linux-headers-generic*" "linux-image-generic*" "linux-signed-generic*" "linux-signed-image-generic*" linux-firmware intel-microcode amd64-microcode
Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even asterisks will show when you type it, that's normal. In Mint this has changed: you do see asterisks. Press Enter again.
e. Now check whether the unlocking has succeeded; for that you can use this terminal command, for which no root permission (sudo) is required:
apt-mark showhold
Press Enter.
If everything has been unlocked, this command should show no output. At least not for Grub or the Linux kernel.
f. Launch Update Manager, refresh it and install any new updates it offers you.
Note: you should never apply any updates when you're in the middle of doing important work. That goes for the ordinary updates as well. First finish your important work, then apply the available updates.
In the unlikely case that you ever get hit by a serious regression in an update, the motto is: just keep breathing, try to find a temporary workaround (like restoring a system snapshot that you've made with Timeshift) and wait for the new update that fixes it (which usually arrives within days).
Beware: if you're unlucky and your system does get messed up because of a vital system update, restoring a system snapshot (or doing a clean re-installation) is sometimes the only solution...
Note: you'll still have a pretty secure system if you.... don't ever install any of those vital system updates at all! Much more secure than, say, Windows. So it's even a reasonable option to restrict yourself entirely to ordinary updates. I don't recommend that, but it's not insanely irresponsible to do so.
Consider increasing the interval for checking for new updates
4. Checking for updates is resource intensive, so you might want to increase the interval for checking for new updates (in the tab Auto-Refresh). See the screenshot below (click on it to enlarge it):
The first check happens 10 minutes after booting and then every two hours. These are reasonable settings; I recommend to leave them as they are.
However, if you do wish to change them: leave in any case the initial check that happens after booting, unchanged at 10 minutes. But you can safely increase the consecutive checks a bit, for example to 8 hours. Don't exceed 24 hours: a check at least once a day, is advisable for your security.
Warning: DO NOT enable automatic updates (but do consider automatic cleaning)
5. Unfortunately, Update Manager now also contains an automatic update feature. Thankfully it's not enabled by default, because updates should always be done consciously. So that they won't ever interrupt or damage your work.However (you're the boss!) this obnoxious feature can be found as follows: Menu button - Administration - Update Manager - panel: Edit - Preferences - tab Automation.
The tab Automation also shows a feature which does come in handy: Automatic Maintenance. I advise to switch it ON (Remove obsolete kernels and dependencies), because it has been safely and prudently configured to avoid causing any damage to your system.
Select a mirror server
6. The servers that provide you with updates, will probably disappoint you: sometimes they are very slow. In that case you can achieve better results with a mirror server near you.This is how to change to a (or to another) mirror server:
Update Manager - panel: Edit - Software sources - section Official Repositories
Mirrors: change this for Main (virginia), by clicking on the address of the current server. Make your choice and click Apply. This fixes it for the Mint-only packages.
Then repeat this for Base (jammy), which fixes it for the Ubuntu code base of your Mint.
Note: Mirrors always have a delay of a couple of hours, when compared with the contents of the main server. That's inevitable, because they synchronize with that main server with intervals.
If you ever get a notification that the information on the mirror is outdated, don't change your mirror immediately, but simply try again after a few hours.
Background: The Main server (Mint-only packages) and the Base server (Ubuntu packages) have only two purposes: the first purpose is to feed the mirrors, and the second purpose is to give users a neutral starting point for the selection of the best mirror for them.
They're simply not meant to be utilized as permanent software sources by end users. When you use them like that anyway, your only advantage will be the warm fuzzy feeling of having updates a couple of hours earlier than the mirror users. Which has almost no practical security benefit. The annoyance of slow updates however, is very real, very bothersome and will keep plaguing you....
Stick to your kernel series
7. Preferably, only install kernels from the same series as the one that's default for your version of Linux Mint!If your machine functions well on the default kernel series (for example 5.15.x), I strongly advise to stick to it. Because your Mint version has been designed around the "engine" of a particular kernel series. Changing the "engine" to one from another series, might diminish the stability of your system and might introduce unexpected bugs.
The kernel is the heart of your system: of course you want a system in which the heart cooperates well with the software around it....
Important exception: very new hardware might not run well on your current kernel series, because it might not contain the latest drivers. So for brand new hardware, if the kernel tool in Update Manager offers a newer series, it's the latest kernel series that's often the best choice. You can install a kernel of the latest series like this: Update Manager - panel: View - Linux kernels. Reboot after installing it.
Two kinds of kernels: LTS kernels and HWE kernels
8. There are two kinds of kernels: Long Term Supported kernels (LTS) and Hardware Enablement kernels (HWE).A. LTS kernels
Linux Mint 21 was released with an LTS kernel, namely 5.15.x. This particular kernel series will be supported for the full five years of the supported lifespan of the Mint 21 series (which runs up to 21.3).
So for having a kernel with the latest security updates, you can always stick to kernel 5.15.x. You will never be forced to switch from an LTS kernel to an HWE kernel.
B. HWE kernels
An HWE kernel is a kernel that's only supported for a short period. The reason for the existence of HWE kernels is simple: hardware support.
The hardware drivers are in the kernel; pretty soon, new hardware becomes simply too new for the LTS kernel. So Mint needs HWE kernels in order to stay relevant for such brand-new hardware.
This means that if your Mint is running on an HWE kernel, you'll have to upgrade to a newer kernel series from time to time. At least if you want all security updates for the kernel of Mint.
Such a newer kernel series will always automatically be offered to you in the updates, as soon as your current HWE kernel reaches end of life. So no worries about the security.
From Mint 21.2 onward, Mint also comes in a special Edge edition, which has an HWE kernel by default (that's the only difference with the main Mint editions).
Note: The kernel team of Linus Torvalds also uses the terms LTS kernel and ordinary kernel. But that's completely unrelated to the procedures of Ubuntu and Linux Mint.
How to revert a kernel update
9. In the rather unlikely case that a newer kernel causes problems for you, it's easy to boot from the old kernel and then remove the newer kernel:a. Reboot your computer.
b. In the Grub bootloader menu, select the second option called Advanced options for Linux Mint.
Don't you get to see the Grub bootloader menu? Then hit the Esc key just once, immediately after the BIOS screen appears.
However, hitting the Esc key just once at the exact right moment can be difficult. In that case, hit the Esc key repeatedly, immediately after the BIOS screen disappears. That increases your chances of success, but it'll give you a Grub command prompt without the menu.
No worries, however: at the Grub prompt, type normal and hit Enter. Then immediately start tapping the Esc key again repeatedly, until the menu is displayed after all. This time, don't worry about hitting Esc too many times: tapping Esc more than once at this point, won't drop you to the Grub command prompt.
c. Then boot from the original kernel.
d. Launch Update Manager. In the toolbar of Update Manager: View - Linux kernels.
e. Remove the latest kernel by clicking on it and then pressing its Remove button.
f. Finally reboot: all should be well again.
Want more?
Do you want more tips and tweaks? There's a lot more of them on this website!
For example:
Speed up your Linux Mint!
Clean your Linux Mint safely
Avoid 10 fatal mistakes
To the content of this website applies a Creative Commons license.
Back to the home page
Disclaimer
