Servers I setup in openbsd just keep working, and are an easy patch/upgrade process. Servers I setup in Ubuntu break and have weird patching issues. Maybe it's something I'm doing, but I sure do like that OpenBSD seems a lot easier to just have solid and work indefinitely.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
I used to have this Debian box (which was a PowerMac G4) in my hallway. It had a 1000+ day uptime, back when this kind of uptime was still cool, or at least I thought it was. At some point it was two major versions behind, and I decided to dist-upgrade it. To my amazement, the upgrade went flawlessly, and the system booted without problems afterward. Debian is just great like that.
Not the Grand Poster, but we use the Debian package "unattended-upgrades" to install security updates automatically on our servers, and send an email if a reboot is required to complete the process (kernel upgrade).
Unattended upgrades could be configured to install more than the security release. Even with the stable release, one can add the official APT source for the Debian backports.
Back to OpenBSD... realize that it has no "unattended upgrades" capability. Until syspatch(8) appeared in 6.x you had to download patches and rebuild kernel and userland to get security fixes. Today, you could run syspatch(8) in a cron job but that only covers the base system. You'd need to handle any installed packages separately. And only the current and immediately previous release are supported at all. There are two releases a year, so you have to upgrade every ~6 months to stay in the support window.
Fortunately, with the introduction of the syspatch(8) and sysupgrade(8) utilities this is much simpler than it used to be. And, release numbers are just sequential with one point number, i.e. 7.0 was just the next release after 6.9, nothing more is implied by the "major" number ticking up.
Just curious, how do you manage service restarts, just restart as the update finishes?
I think I’m a bit scarred when a docker upgrade took my entire stack down because of an api mismatch with portainer, so I’m trying to be present during upgrades.
Edit: I’m talking about Debian of course. I’m not familiar with OpenBSD.
Debian still has security fixes, and point releases. unattended-upgrades is the package that automates their install.
I think you can also do unattended release upgrades by using the 'stable' release alias in sources. That will probably result in some stuff breaking since there will be package and configuration churn.
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues
with lighttpd (admittedly only few people use it; most seem to now use nginx).
Ubuntu seems to have a trend of taking something that works under Debian and somehow messing that up. Upgrades are one thing but for a while we had separate instruction on how to make Yubikey tokens work under each version of Ubuntu (we used them as smartcards for SSH key auth), while Debian instructions stayed the same...
Update was also hit and miss on user's desktop machines, for a while ubuntu had a nasty habit of installing new kernel upgrades... without removing old ones, which eventually made boot run out of space and poor user usually had to give it to helpdesk to fix.
Tho tbh most of the problems in any distro with packages is "an user installed 3rd party repo that don't have well structured packages and it got messy".
I have used lighttpd in the past but have been using nginx largely because I got used to it because other people chose it.
Now in more of a position to pick for myself, and I wondered how you feel about the pros and cons of lighttpd? I remember quite liking its config at the time.
