Updating a Linux system means refreshing the list of available software versions from repositories and installing newer versions of already-installed packages. On Ubuntu and Debian-based systems, the two-command sequence sudo apt update && sudo apt upgrade handles this completely. On Fedora, a single sudo dnf update does both steps. Regular updates are the single most important maintenance task for a Linux system, providing security patches, bug fixes, and new features for all installed software simultaneously.
Introduction: Why Updating Linux Is Different — and Better
If you have used Windows, you are familiar with the update experience: a notification appears, you schedule a restart, the computer reboots and displays “Working on updates — do not turn off your PC” for anywhere from five minutes to an hour, and eventually you are back at your desktop. Some updates require multiple reboots. Individual applications update separately through their own mechanisms. The whole process is fragmented, unpredictable, and occasionally disruptive.
Linux updates work fundamentally differently, and for most users, dramatically better. Because nearly all software on a Linux system — not just the operating system itself, but every installed application — is managed through the package manager, updates are centralized. One command refreshes the information about available updates for everything on your system. Another command installs all of those updates at once. The process is fast, transparent, and almost never requires a reboot (except for kernel updates, which do require one).
Understanding how Linux updates work, when to run them, what the different update operations mean, and how to handle the occasional complexity that arises is one of the most practically important pieces of Linux knowledge you can have. A well-maintained, regularly updated Linux system is significantly more secure and reliable than one that goes weeks or months without updates. This article gives you everything you need to keep your Linux system in excellent shape.
The Update Vocabulary: Refreshing vs. Upgrading
Linux documentation and tutorials use several terms that newcomers sometimes conflate. Distinguishing them precisely prevents confusion.
Updating vs. Upgrading: The Key Distinction
In Linux package management, updating and upgrading refer to two distinct operations that are often performed together but are conceptually separate:
Updating (or refreshing) means downloading fresh information about what packages are available in the repositories — their current versions, sizes, and dependency information. This operation does not install or change any software on your system. It simply updates your package manager’s local knowledge of what is available. Think of it as refreshing a catalog: you are downloading the latest version of the store’s inventory list, not actually buying anything.
Upgrading means installing newer versions of already-installed packages, based on the current information in your local package index. This is where software actually gets updated on your system. Before upgrading, you should always update (refresh) the package index to make sure you are seeing the latest available versions.
In everyday conversation, Linux users often say “update” to mean both operations performed together. When a tutorial says “run your updates,” it usually means both refreshing the package index and then installing available upgrades. The technical distinction matters when you want to know exactly what each command does.
Security Updates vs. Feature Updates
Not all updates are created equal. Updates fall into two broad categories:
Security updates fix vulnerabilities in software — bugs that could be exploited by malicious actors to compromise your system, steal data, or execute unauthorized code. Security updates are released as soon as vulnerabilities are discovered and patches are prepared. They are the highest-priority updates and should be applied promptly — ideally within days of their release.
Feature and bug-fix updates add new capabilities to software, fix non-security bugs, and improve performance. These are less urgent than security updates but still improve the overall quality and stability of your system. Most regular package upgrades on a running system are of this type.
Some distributions maintain separate update channels for security updates vs. feature updates, allowing administrators to apply security patches immediately while deferring potentially disruptive feature changes to scheduled maintenance windows. On desktop systems, most users apply all available updates together without worrying about this distinction.
Kernel Updates
Kernel updates deserve special mention because they behave differently from application updates in one important way: a kernel update requires a reboot to take effect. When a new kernel is installed, it replaces the old kernel files, but the currently running kernel (loaded into memory at boot time) does not change until you restart the system.
After a kernel update, you will see the new kernel version available at the GRUB boot menu. Until you reboot, the old kernel version continues running. Your package manager will show the update as applied, but the system is not actually running the new kernel yet.
On a desktop system, it is safe to reboot immediately after a kernel update. On a server, kernel updates require planning — you need to schedule a maintenance window for the reboot because the system will be unavailable during the restart.
Other updates — to applications, libraries, and non-kernel system components — do not require a reboot. The new version is used by newly started processes; existing running processes continue using the old version of a library or application until they are restarted. For a library update to fully take effect for all applications, restarting the affected applications (or logging out and back in, which restarts all user-space processes) is sufficient.
Updating on Ubuntu and Debian-Based Systems
Ubuntu, Linux Mint, Debian, Pop!_OS, and all Debian-derived distributions use APT for package management. The update process on these systems uses the apt command.
The Standard Update Sequence
The two commands you will run most frequently for system maintenance are:
$ sudo apt updateThis refreshes APT’s local package index by downloading current package information from all configured repositories. Running it tells you how many packages can be upgraded:
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:3 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Fetched 378 kB in 2s (189 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
42 packages can be upgraded. Run 'apt list --upgradable' to see them.Then:
$ sudo apt upgradeThis installs all available upgrades for currently installed packages. APT shows you a summary of what will be upgraded, how much data needs to be downloaded, and how much disk space will be used:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
curl libcurl4 libssl3 openssh-client python3-apt ubuntu-advantage-tools
[and more...]
42 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 28.4 MB of archives.
After this operation, 4,096 B of additional disk space will be used.
Do you want to continue? [Y/n]42 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 28.4 MB of archives. After this operation, 4,096 B of additional disk space will be used. Do you want to continue? [Y/n]
Press Enter (or Y followed by Enter) to confirm. APT downloads the packages and installs them. The process typically takes a few minutes depending on the number of updates and your internet connection speed.
Running Both Commands Together
The && operator runs the second command only if the first succeeds. This makes the combined update-then-upgrade sequence safe to run as a single command:
$ sudo apt update && sudo apt upgradeThis is the standard maintenance command you will use most often. You can add -y to automatically confirm the upgrade without the interactive prompt — useful in scripts:
$ sudo apt update && sudo apt upgrade -yThe Difference Between upgrade and full-upgrade
APT offers two upgrade commands with different behaviors when package changes are needed:
sudo apt upgrade — upgrades packages but will not remove any existing packages or install new packages that were not previously installed. If an upgrade requires removing a package or adding a new dependency, that package is simply held back rather than upgraded. This is the conservative, safe option for regular maintenance.
sudo apt full-upgrade — performs a more comprehensive upgrade that will install new packages and remove existing packages if that is necessary to complete the upgrade. This handles situations where the dependency graph has changed — a package was renamed, split into multiple packages, or replaced by a different package. Use full-upgrade periodically and whenever you notice packages being held back after a regular upgrade.
$ sudo apt full-upgradeFor most desktop users doing regular maintenance, apt upgrade is appropriate for daily use, with apt full-upgrade used occasionally or when updates appear to be stuck.
Seeing What Will Be Updated Before Committing
Before running an upgrade, you can see exactly which packages will be updated:
$ apt list --upgradable
Listing... Done
curl/.noble-updates 8.5.0-2ubuntu10.3 amd64 [upgradable from: 8.5.0-2ubuntu10.1]
libcurl4/.noble-updates 8.5.0-2ubuntu10.3 amd64 [upgradable from: 8.5.0-2ubuntu10.1]
libssl3/.noble-updates 3.0.13-0ubuntu3.4 amd64 [upgradable from: 3.0.13-0ubuntu3.2]This shows the package name, the new version it will be updated to, and in brackets, the version currently installed. This is useful for understanding what an update will change, particularly on servers where changes need to be understood before being applied.
Updating Only Security Packages
On Ubuntu systems, you can apply only security updates without other package upgrades. This is particularly useful for servers where you want minimal changes but need security patches quickly:
$ sudo apt update
$ sudo apt upgrade -o Dir::Etc::SourceList=/etc/.apt/sources.list.d/.ubuntu-security.listA simpler approach uses the unattended-upgrades package, which can be configured to automatically install security updates:
$ sudo apt install unattended-upgrades
$ sudo dpkg-reconfigure -plow unattended-upgradesThis sets up automatic security updates without requiring manual intervention — an excellent practice for both servers and desktops.
Checking for Specific Package Updates
To check the current installed version of a specific package and whether a newer version is available:
$ apt policy package-nameFor example:
$ apt policy firefox
firefox:
Installed: 124.0.1+build1-0ubuntu0.24.04.1
Candidate: 125.0.3+build1-0ubuntu0.24.04.1
Version table:
125.0.3+build1-0ubuntu0.24.04.1 500
500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64
*** 124.0.1+build1-0ubuntu0.24.04.1 100
100 /var/lib/dpkg/status
The output shows the installed version, the candidate (newest available) version, and where each version comes from. This is useful for verifying that a specific security fix has been applied.
Keeping Your System Clean After Updates
After upgrades, some maintenance commands keep your system tidy:
$ sudo apt autoremoveRemoves packages that were installed as dependencies but are no longer needed by any installed package. This frees up disk space without removing anything you intentionally installed.
$ sudo apt autocleanRemoves cached package files for packages no longer in the repositories. Keeps the APT cache from growing indefinitely.
Running these two commands after a major upgrade session is good practice.
Updating on Fedora and Red Hat Systems
Fedora, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, and Rocky Linux all use DNF for package management.
The Standard DNF Update Command
On DNF-based systems, a single command handles both refreshing the package database and installing all available upgrades:
$ sudo dnf updateDNF checks all configured repositories for updates, calculates dependency changes, and presents a summary:
Last metadata expiration check: 0:05:42 ago on Mon Feb 18 14:22:11 2026.
Dependencies resolved.
========================================================
Package Arch Version Repository Size
========================================================
Upgrading:
curl x86_64 8.6.0-7.fc40 updates 299 k
firefox x86_64 125.0.3-1.fc40 updates 89 M
kernel x86_64 6.8.9-300.fc40 updates 26 M
[...]
Transaction Summary
========================================================
Upgrade 28 Packages
Total download size: 128 M
Is this ok [y/N]:Type y and press Enter to proceed.
sudo dnf upgrade is an alias for sudo dnf update — they do the same thing.
Checking for Updates Without Installing
To see what updates are available without installing them:
$ dnf check-updateThis lists all packages with available updates without prompting for or performing installation.
Updating a Specific Package
To update only one specific package rather than everything:
$ sudo dnf update package-nameFor example, to update only the kernel:
$ sudo dnf update kernelAutomatic Updates on Fedora
Fedora provides the dnf-auto.matic service for automatic updates:
$ sudo dnf install dnf-automatic
$ sudo systemctl enable --now dnf-automatic.timerBy default, dnf-auto.matic is configured to download updates but not install them automatically — it creates a report of available updates. Edit /etc/.dnf/automatic.conf to change apply_updates = no to apply_updates = yes for fully automatic installation.
Updating on Arch-Based Systems
Arch Linux, Manjaro, EndeavourOS, and other Arch-derived systems use Pacman and follow a rolling release model where the system is continuously updated rather than moving between discrete versions.
System Update with Pacman
$ sudo pacman -SyuThis single command synchronizes the package data.base (/-S), refreshes the data.base (/-y), and upgrades all packages (/-u). On Arch, this should be run regularly — at least once a week — because the rolling release model means packages can change significantly between updates if you fall too far behind.
On Manjaro, the equivalent command goes through Manjaro’s own repositories which hold packages back for additional testing:
$ sudo pacman -SyuOr using Manjaro’s graphical Update Manager for a visual interface.
AUR Updates
If you use AUR packages (installed through a helper like yay or paru), these are not updated by regular pacman -Syu. Update AUR packages with your AUR helper:
$ yay -Syuor
$ paru -SyuThese helpers update both official repository packages and AUR packages together.
Graphical Update Managers
Command-line updates are powerful, but all major Linux distributions also provide graphical tools for users who prefer a visual interface.
Ubuntu Update Manager
On Ubuntu, the Software Updater (or Update Manager on older versions) provides a clean graphical interface for updates. It launches automatically when updates are available (typically after a fresh login) and presents a list of available updates with descriptions. Click “Install Now” to apply them.
The Software Updater also handles kernel updates and will prompt you to restart when a kernel update has been installed. This is the recommended interface for users who primarily use the graphical desktop and do not need the control or speed of the terminal approach.
Access it manually:
- Applications menu → Software Updater
- Or from the terminal:
update-manager
Linux Mint Update Manager
Linux Mint’s Update Manager is considered one of the best graphical update interfaces on any Linux distribution. It categorizes updates by type and stability level — for example, marking kernel updates as requiring extra caution — and provides clear descriptions of each update. It also allows you to selectively apply individual updates rather than all of them at once.
Open from: Menu → Administration → Update Manager, or from the shield icon in the system tray.
GNOME Software (Fedora)
On Fedora, the GNOME Software application handles both application installation and updates. Its Updates section shows available updates with descriptions and allows one-click application. GNOME Software handles both traditional DNF packages and Flatpak updates.
KDE Discover (KDE Plasma)
On KDE Plasma desktops, Discover provides a graphical package management and update interface. Its Updates section shows all available updates and applies them with a single click.
Distribution Upgrades: Moving Between Versions
Beyond regular package updates, Linux distributions periodically release new major versions (Ubuntu 22.04 → 24.04, Fedora 39 → 40, etc.). Upgrading to a new distribution version is a bigger operation than regular package updates and deserves its own consideration.
Ubuntu Distribution Upgrades
Ubuntu provides a tool called do-release-upgrade for upgrading between versions:
$ sudo do-release-upgradeThis tool checks whether a new release is available, presents information about what the upgrade entails, and if you confirm, downloads and installs all the packages for the new version. The process typically takes 30-90 minutes depending on connection speed and system speed.
Recommendations for Ubuntu upgrades:
Only upgrade from LTS to LTS (Long Term Support) versions unless you specifically want the newest features. LTS-to-LTS upgrades are better tested and more stable. Ubuntu 22.04 → 24.04 is an LTS upgrade; Ubuntu 22.04 → 23.10 is a non-LTS upgrade.
Back up your data before upgrading. Distribution upgrades are more complex than regular updates and carry higher risk of something going wrong.
Read the release notes for the new version before upgrading. Sometimes upgrades require addressing configuration changes or deprecated features.
The graphical equivalent: on Ubuntu, the Software Updater will prompt you when a new LTS version is available, offering an upgrade button that runs do-release-upgrade through a graphical wizard.
Fedora Version Upgrades
Fedora uses the dnf system-upgrade plugin for version upgrades:
$ sudo dnf install dnf-plugin-system-upgrade
$ sudo dnf system-upgrade download --releasever=41
$ sudo dnf system-upgrade rebootThe download step downloads all new packages (which can be several gigabytes). The reboot step restarts into a special upgrade environment where the actual package installation happens. The system reboots again into the new Fedora version when complete.
Rolling Release Distributions
Arch Linux and its derivatives use a rolling release model — there are no version upgrades because the system is continuously updated. Regular sudo pacman -Syu keeps you on the latest version perpetually. There is no separate “upgrade to the next version” step.
Update Best Practices: A Practical Framework
How Often Should You Update?
Security updates: Apply as soon as possible — ideally within a few days of their release. Critical security vulnerabilities (like those affecting OpenSSL, the Linux kernel, or widely used system libraries) are actively exploited quickly after public disclosure.
Regular updates on a desktop: Weekly is ideal; every two weeks is acceptable. Falling more than a month behind on updates means accumulating security debt that grows over time.
Regular updates on a server: Follow your organization’s change management policy. Automated security updates (via unattended-upgrades or dnf-automatic) are common. Non-security updates may be applied during scheduled maintenance windows after testing.
Before Updating: Healthy Habits
Read the update summary before confirming. APT and DNF both show you what will be installed, upgraded, and (sometimes) removed before asking for confirmation. Take a few seconds to look at this. If you see a familiar essential package being removed, investigate before proceeding.
Check distribution news for major updates. If you are subscribed to your distribution’s announcements (Ubuntu Discourse, Fedora announcements, Arch Linux news), major updates are often accompanied by notes about changes that require manual action. The Arch Linux news page in particular is worth checking before updating because Arch’s rapid update pace occasionally introduces changes requiring manual intervention.
After Updating: Verification Steps
Check for held-back packages. After apt upgrade, run apt list --upgradable to see if any packages were held back. If so, investigate why — run apt full-upgrade to handle dependency changes.
Restart services that were updated. On a server, services like nginx, PostgreSQL, or OpenSSH should be restarted after their packages are upgraded so they are running the new version:
$ sudo systemctl restart nginxReboot after kernel updates. After a kernel update, plan a reboot at a convenient time. The new kernel is not active until the system restarts.
Check that the system is functioning normally. After significant updates, quickly verify that the applications you use most are still working correctly. Major library updates occasionally cause unexpected behavior in dependent applications — catching this quickly makes troubleshooting easier.
What Happens When Updates Go Wrong
Despite best practices, updates occasionally cause problems. Understanding the most common scenarios and their solutions gives you confidence to update regularly without anxiety.
Broken Package Dependencies
If an update fails partway through due to a network interruption or other error, you may end up with partially installed packages that leave the system in an inconsistent state. On APT systems, fix this with:
$ sudo apt install -fThe -f flag (fix broken) tells APT to resolve and fix any broken dependencies. This command alone resolves most partial-installation problems.
On DNF systems, run:
$ sudo dnf check
$ sudo dnf distro-syncAn Update Breaks an Application
If a package update causes an application to behave incorrectly, you can downgrade to the previous version on APT systems:
$ sudo apt install package-name=version-numberFind the previous version from the package history:
$ apt policy package-nameOn DNF systems, downgrade with:
$ sudo dnf downgrade package-nameOn Arch systems, previous package versions are available in the package cache at /var/.cache/pacman/pkg/. Install a cached version with:
$ sudo pacman -U /var/.cache/pacman/pkg/packagename-version.pkg.tar.zstA Kernel Update Causes Boot Problems
If your system fails to boot after a kernel update, the previous kernel is still available at the GRUB boot menu. Select “Advanced options” at the GRUB menu and choose the previous kernel version. Once booted into the previous kernel, you can investigate the problem or remove the problematic kernel update.
Keeping Flatpak and Snap Packages Updated
If you use Flatpak or Snap applications alongside your distribution’s package manager, these have separate update mechanisms that are not covered by apt upgrade or dnf update.
Updating Flatpak Applications
$ flatpak updateThis updates all installed Flatpak applications to their latest available versions. Flatpak applications that came from Flathub update automatically when new versions are published, but running this command manually ensures everything is current.
Updating Snap Applications
Snaps update automatically in the background — the snapd daemon checks for updates regularly and applies them. You can manually trigger an update check and apply available updates:
$ sudo snap refreshTo update a specific snap:
$ sudo snap refresh package-nameA Complete System Update Checklist
Here is a practical checklist for complete system maintenance on an Ubuntu/Debian system:
# Step 1: Refresh package index
sudo apt update
# Step 2: Review available updates (optional but recommended)
apt list --upgradable
# Step 3: Apply package updates
sudo apt upgrade
# Step 4: Handle held-back packages (when needed)
sudo apt full-upgrade
# Step 5: Remove unused dependencies
sudo apt autoremove
# Step 6: Clean package cache
sudo apt autoclean
# Step 7: Update Flatpak apps (if used)
flatpak update
# Step 8: Update Snap apps (if used)
sudo snap refresh
# Step 9: Reboot if a kernel was updated
sudo rebootFor Fedora, the equivalent is shorter:
# Comprehensive Fedora update
sudo dnf update
sudo dnf autoremove
flatpak update # if Flatpak is used
sudo reboot # if kernel was updatedComparison of Update Commands Across Distributions
| Operation | Ubuntu/Debian (APT) | Fedora (DNF) | Arch (Pacman) |
|---|---|---|---|
| Refresh package index | sudo apt update | (included in dnf update) | (included in pacman -Syu) |
| Install all updates | sudo apt upgrade | sudo dnf update | sudo pacman -Syu |
| Full upgrade with dependency changes | sudo apt full-upgrade | sudo dnf update | sudo pacman -Syu |
| Update specific package | sudo apt install pkg | sudo dnf update pkg | sudo pacman -S pkg |
| View available updates | apt list --upgradable | dnf check-update | pacman -Qu |
| Remove unused dependencies | sudo apt autoremove | sudo dnf autoremove | sudo pacman -Qdtq | pacman -Rs - |
| Distribution version upgrade | sudo do-release-upgrade | sudo dnf system-upgrade | Rolling (no version upgrades) |
Conclusion: Regular Updates Are Your Best Security Practice
Keeping your Linux system updated is the single most impactful security practice available to most users. The vast majority of successful attacks on computer systems exploit known vulnerabilities — vulnerabilities that have patches available and that a fully updated system would not be susceptible to. Regular updates close these vulnerability windows systematically.
Beyond security, updates deliver continuous improvements: faster applications, better hardware support, new features, and resolved bugs. On a rolling system like Arch, this stream of improvements is constant. On fixed-release systems like Ubuntu LTS, it is regular but more measured.
The simplicity of Linux updates compared to Windows is one of the system’s genuine advantages. A single command updates everything — the kernel, system libraries, the desktop environment, your web browser, your media player, your development tools — all at once, from trusted sources, with automatic dependency resolution. Learning to run updates regularly and correctly is one of the foundational habits that separates a well-maintained Linux system from one that gradually accumulates security vulnerabilities and aging software.
Make updating a habit. Whether you prefer the graphical Update Manager or the two-command terminal sequence, regular updates keep your Linux system healthy, secure, and performing at its best.
