<b>Patch 40 boxes without touching any of them</b>

<b>Patch 40 boxes without touching any of them</b>

You will not manually <code>apt upgrade</code> across a fleet. You'll forget, and an unpatched OpenSSL eats you. Set security patches to auto-apply and leave everything else alone:

— <code>apt install unattended-upgrades</code>
— enable ONLY the <code>-security</code> origin in <code>50unattended-upgrades</code>
— <code>Unattended-Upgrade::Automatic-Reboot-Time "04:00";</code>

Security fixes land overnight, feature updates that might break things stay manual. Set it once per box, never think about CVEs again. Try it tonight.