My comments:
My policy will be to just launch "Software Updater" (or run sudo apt update in terminal) at least once a week to check for updates. This will include security updates from Ubuntu.
I would like to see an automatic notification of available updates, like an icon appearing on the panel to indicate this. I may be wrong, but I don't think there is - never seen it. Have you?
Hello everyone,
I also confirm that there is an issue with the Software Updater GUI (/usr/bin/update-manager) in Zorin OS 18, which is never periodically displayed automatically when updates (even security updates) are available, even if everything is correctly configured in "Software & Updates" parameters.
There are already several different topics regarding this issue :
This problem did not occur in Zorin OS 17.3.
Currently, the simplest workaround is to add "/usr/bin/update-manager" in the "Startup Applications", in order to trigger the Software Updater at every session startup, but it is just a workaround, the Zorin team should investigate this problem.
As for me, I've already reported this issue via the official feedback section : Send Feedback - Zorin OS
I work with a lot people, it's a really difficult job to explain to them the concept of updates. They won't bother with installing updates. You also have to give them sudo or root password to do this, which is not a good idea, also extra hassle for everyone involved. Getting notifications don't work either without workarounds and it's not automatic update...
Most companies have someone who can click through a windows installation and would be able to do it in a linux installer too. Ideal situation would be, that I show them once how to install and all these things just work on the next machine they set up for themselves. Which is not possible here without messing with config files.
This is correct.
Unattended Upgrades is strict and will only source upgrades from ubuntu.
First, I chacked the configuration files in Zorin OS 18 - and these are correct.
I checked if there were any systemd-timer tasks missing - none were missing.
I checked the apt policy - and that is where I found it.
Zorin supplied packages:
o=LP-PPA-zorinos-stable
o=LP-PPA-zorinos-patches (priority 999)
o=LP-PPA-zorinos-drivers
o=LP-PPA-zorinos-apps
Would be seen by Unattended Upgrades as a Third Party repository - and will be ignored.
Only:
o=Ubuntu,a=noble-security
o=Ubuntu,a=noble-updates
will be recognized and permitted through.
Importantly, Security updates will be passed through. Critical patches from Ubuntu Universe repo will, as well.
But Zorin OS Specific updates and packages in their PPA will not.
Because an end user configuring this to permit third party PPA's is risky security wise... I will not delve into that here.
But, we can refer this to the ZorinGroup
@AZorin @zorink
to review in case they would like to consider a preconfigured policy for managing unattended upgrades beyond just security releases for Zorin OS core system.
my system didn't get any updates since october 15th, it's hard to believe there weren't anything in 2 months that needed an update.
Without checking the releases, I need to see dates rather than an argument of incredulity.
I certainly see your point of view, but I can easily see periods of time where updates are slower than others.
However, above we have established that Unattended Upgrades, as its parameters are strictly set for Ubuntu, will ignore Zorin OS repository contained updates, it is probably sufficient alone to explain what is perceived in this thread.
I have posted this, tell me what else you need. I have started the VM for hours these past days and nothing. Ok maybe there weren't anything in two months, can you tell me where can I check and why there were no updates, not even for the kernel?
So, it runs in a VM, yes? Is it set up for Internet Acess and Downloads?
of course, you can see the output from sudo apt update && sudo apt upgrade it's a qemu vm, I have a dozen other vms(this is the only one based on ubuntu) none of them have issues.
@Aravisian if I understand you correctly you say that only ubuntu security is allowed, but looking at my unattended-upgrades.log file https://justpaste.it/kj6fh
2025-12-12 16:02:50,125 INFO Starting unattended upgrades script
2025-12-12 16:02:50,126 INFO Allowed origins are: o=Zorin,a=noble, o=Zorin,a=noble-security, o=ZorinESMApps,a=noble-apps-security, o=ZorinESM,a=noble-infra-security
it seems it only allows zorin repos, this log file is really confusing.
where is that?
here's my /etc/apt/apt.conf.d/50unattended-upgrades
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
as the reddit post suggests ${distro_id} resolves to Zorin and not ubuntu, again I don't know what else to check
Hmm...
I stand corrected?
According to what you just posted, the ZorinGroup has forked the policy already and it should be allowing updates through the Zorin OS repository.
What confused you was that my statement contradicting what you just posted. Not the logs...
Well...
Looking at:
ls -l /var/lib/apt/lists | grep noble-security ββ―
-rw-r--r-- 1 root root 126127 Dec 12 20:59 archive.ubuntu.com_ubuntu_dists_noble-security_InRelease
-rw-r--r-- 1 root root 7747255 Dec 11 11:49 archive.ubuntu.com_ubuntu_dists_noble-security_main_binary-amd64_Packages
-rw-r--r-- 1 root root 1791157 Dec 11 11:49 archive.ubuntu.com_ubuntu_dists_noble-security_main_binary-i386_Packages
-rw-r--r-- 1 root root 41398 Dec 11 01:36 archive.ubuntu.com_ubuntu_dists_noble-security_main_cnf_Commands-amd64
-rw-r--r-- 1 root root 25373 Dec 12 13:25 archive.ubuntu.com_ubuntu_dists_noble-security_main_dep11_Components-amd64.yml.gz
-rw-r--r-- 1 root root 13430 Apr 24 2025 archive.ubuntu.com_ubuntu_dists_noble-security_main_dep11_icons-48x48.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_main_dep11_icons-64x64%402.tar.gz
-rw-r--r-- 1 root root 19974 Apr 24 2025 archive.ubuntu.com_ubuntu_dists_noble-security_main_dep11_icons-64x64.tar.gz
-rw-r--r-- 1 root root 5623342 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_main_i18n_Translation-en
-rw-r--r-- 1 root root 161906 Oct 20 13:52 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_binary-amd64_Packages
-rw-r--r-- 1 root root 28918 Sep 18 08:16 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_binary-i386_Packages
-rw-r--r-- 1 root root 1246 Oct 20 14:34 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_cnf_Commands-amd64
-rw-r--r-- 1 root root 157 Dec 12 13:29 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_dep11_Components-amd64.yml.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_dep11_icons-48x48.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_dep11_icons-64x64%402.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_dep11_icons-64x64.tar.gz
-rw-r--r-- 1 root root 51981 Nov 17 08:51 archive.ubuntu.com_ubuntu_dists_noble-security_multiverse_i18n_Translation-en
-rw-r--r-- 1 root root 13583112 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_binary-amd64_Packages
-rw-r--r-- 1 root root 134259 Oct 20 13:52 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_binary-i386_Packages
-rw-r--r-- 1 root root 4287 Oct 20 14:34 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_cnf_Commands-amd64
-rw-r--r-- 1 root root 156 Dec 12 13:31 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_dep11_Components-amd64.yml.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_dep11_icons-48x48.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_dep11_icons-64x64%402.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_dep11_icons-64x64.tar.gz
-rw-r--r-- 1 root root 10103008 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_restricted_i18n_Translation-en
-rw-r--r-- 1 root root 5699695 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_universe_binary-amd64_Packages
-rw-r--r-- 1 root root 3496523 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_universe_binary-i386_Packages
-rw-r--r-- 1 root root 139763 Dec 10 12:17 archive.ubuntu.com_ubuntu_dists_noble-security_universe_cnf_Commands-amd64
-rw-r--r-- 1 root root 91172 Dec 12 13:27 archive.ubuntu.com_ubuntu_dists_noble-security_universe_dep11_Components-amd64.yml.gz
-rw-r--r-- 1 root root 46644 Nov 27 11:09 archive.ubuntu.com_ubuntu_dists_noble-security_universe_dep11_icons-48x48.tar.gz
-rw-r--r-- 1 root root 29 May 28 2024 archive.ubuntu.com_ubuntu_dists_noble-security_universe_dep11_icons-64x64%402.tar.gz
-rw-r--r-- 1 root root 72881 Nov 27 11:09 archive.ubuntu.com_ubuntu_dists_noble-security_universe_dep11_icons-64x64.tar.gz
-rw-r--r-- 1 root root 1907736 Dec 11 07:32 archive.ubuntu.com_ubuntu_dists_noble-security_universe_i18n_Translation-en
I do not see anything very recent.
The same applies to:
apt-cache madison linux-image-generic ββ―
linux-image-generic | 6.8.0-90.91 | http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
linux-image-generic | 6.8.0-88.89 | http://archive.ubuntu.com/ubuntu noble-security/main amd64 Packages
linux-image-generic | 6.8.0-31.31 | http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
I had checked using apt-cache policy
As far as I know, the file "50unattended-upgrades" was already configured that way in the previous versions of Zorin (including 17.3) and yet, the Software Updater GUI was periodically displayed by the system.
Here, I don't think the issue comes from the unattended upgrades configuration files. It would seem rather that the Software Updater GUI is never notified of new updates by the system, or something like that.
what do you mean? 6.8.0? I don't really understand.
my kernel was built in september and it's 6.14, I have installed Zorin 18 core
6.14.0-33-generic #33~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 19 17:02:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
I really don't know what you are saying. There were no security updates for any of the packages in two months?
I don't really care about notifications.
That is what I was looking for, yes.
Package release frequency is a huge variable, but I do not finding a couple of months between security updates surprising.
But I think many posts in this thread have certainly established that Unattended Upgrades is not working properly.
Others showed that it relayed no updates even as a manual check showed that there were packages waiting.
How can I check if there are security updates available for my system? Sorry I'm not familiar with ubuntu/debian. This would help to clear the confusion.
If you mean current:
sudo apt update
will alert you to pending available package updates through out all of your repositories and if there are any, you can run
sudo apt upgrade
Or all in one go:
sudo apt update && sudo apt full-upgrade
If you want to check history of what available packages have been released (independent of what is on your system)...
New or experienced, this is actually not as straight forward as it should be.
If we look over at Windows OS, it is even less so.
This is not due to developers wanting to keep secrets, but to low demand on the users part for this. I mean... a lot of users ignore all updates...
Above, I used ls -l /var/lib/apt/lists | grep noble-security for Zorin OS 18 in terminal. That is one way you can do it.
there's no way to check only the updates from the security repo? apt upgrade shows everything. I can't tell which one that comes from the security repo. How does unattended-upgrades do it? If I understand correctly it should only check certain repos.
I have downloaded manually Packages.xz from the ubuntu main security repo from https://mirrors.hosterion.ro/ubuntu/dists/noble-security/main/binary-amd64/
has this for example for the kernel, but there could be other packages too:
Package: linux-generic-hwe-24.04
Architecture: amd64
Version: 6.14.0-37.37~24.04.1
Priority: optional
Section: kernel
Source: linux-meta-hwe-6.14
Origin: Ubuntu
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 9
Depends: linux-image-generic-hwe-24.04 (= 6.14.0-37.37~24.04.1), linux-headers-generic-hwe-24.04 (= 6.14.0-37.37~24.04.1)
Recommends: linux-tools-6.14.0-37-generic, ubuntu-kernel-accessories
Filename: pool/main/l/linux-meta-hwe-6.14/linux-generic-hwe-24.04_6.14.0-37.37~24.04.1_amd64.deb
Size: 1726
MD5sum: 379a46c1451cdcc6f3c6692dc7d34e44
SHA1: 9dee8d68f0decf36c5e48007d6b1ddc83f978bb8
SHA256: be511f87095f9b8b57d0b32543069e9c58142ff141da585d74e3f5d227e05820
SHA512: ea6bc884a9e3510fe8e9073ba1ae7a38a0b94405bbdbd001e7c00bcec0b4da53c0cebd320eeab0f7021492180b420132a40d87fbb2e772cfde713a3996967ab4
Description: Complete Generic Linux kernel and headers
Description-md5: 000d0a6187a93215f75bba542cc6df27
I have no idea how to browse the zorin repo, does it even have the kernel?
You actually touched on the answer to your own question, which is good. You say you are a new user, so this means you are putting the pieces together.
And you are right: Unattended Upgrades package does not differentiate security updates from system package updates.
The reason security updates would still pass through is that they are sourced directly from Ubuntu, not through the Zorin OS Repository.
You can browse the Zorin Repo:
yeah but I got 0 updates since installing, the kernel is just the package I checked, it also show up in apt update I just don't know if it's marked as a security update. So I don't think anything passes through the current config...
I have found that launchpad it has 77 packages for noble, it barely has anything in it, and from the current config it seems unattended-upgrades only checks the zorin repo, or is it somehow transitive and it also includes ubuntu security and it's delayed somehow?