I’ve been running my home lab since 2021 and honestly thought my update routine was solid: apt update && apt upgrade, reboot, job done.
Turns out I was wrong. I was checking CVE‑2026‑31431 (Copy Fail) this morning and realised that despite my “successful” updates, I was still running a vulnerable kernel from March.
I’ve had to rethink how I handle host updates. If you’re relying on a standard upgrade and a reboot to keep Proxmox or Debian hosts safe, you might want to check if yours is lying to you as well.
I don’t know about dnf, but pacman doesn’t do this by default. The only way to hold back packages is by writing it in the configuration.
dnf has a MUCH nicer interface than apt. Pacman is a completely different beast, but will basically just install anything you ask it no problems regardless of whether that will brick your device or not. I still don’t get why you need all that update && upgrade thing. How many users want to upgrade without resolving the repositories before that?