How do I check only security updates from the command-line?

My question is just about detecting the availability of security updates

Yes, that's doable with the caveat that the normal apt-get update will do a full refresh when you next run it (20 MB means it's doing that anyway).

  • sudo sh -c 'grep precise-security /etc/apt/sources.list > /etc/apt/secsrc.list

  • And if you then run the following, you'll see if there are any security updates available (sample output):

    sudo sh -c 'apt-get -o Dir::Etc::sourcelist="secsrc.list" \
    -o Dir::Etc::sourceparts="-" update && \
    apt-get --assume-no upgrade'
    
  • This tells apt-get to temporarily use the special security-only sources list, and then runs upgrade, automatically answering no.

  • If there are any, run proper apt-get update (which will do a full refresh), and then upgrade.

  • You could make the above a bash script with a simple grep/exit code check at the end if you don't feel like parsing the apt-get output :)


This may not be exactly what the question is asking, but if you've already run apt update, you can see what security updates are available using:

sudo apt list --upgradable | grep -e "-security"

which will give you something like:

libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.9 i386 [upgradable from: 1.0.2g-1ubuntu4.8]
openssl/xenial-updates,xenial-security 1.0.2g-1ubuntu4.9 i386 [upgradable from: 1.0.2g-1ubuntu4.8]