# Upgrade packages on production server **URL:** https://discourse.roots.io/t/upgrade-packages-on-production-server/5452 **Category:** trellis **Created:** 2015-12-08T13:29:21Z **Posts:** 6 ## Post 1 by @iamanders — 2015-12-08T13:29:22Z I have a couple of questions that I can’t find the answer to. 1. What is the best way to update packages on staging and production servers when running Trellis? Should I just ssh in to the server and run ”apt-get upgrade” or is there an Ansible command to do this? Will the packages ”upgrade” when I provision the server? 2. Is it ”safe” to run the provision command at any time? Will my database, files or config files get overwritten? Thanks --- ## Post 2 by @swalkinshaw — 2015-12-08T15:19:04Z 1. Never do anything manually that causes any side-effect. Meaning you can SSH into your server to look at things, troubleshoot etc, maybe restart services, but don’t changes files, change packages, etc. It defeats the purpose of Trellis. If you want to update packages you have a few choices: - add a task to run `apt-get upgrade` (not recommended since it’s system wide but at least test on staging/dev first) - manually specify a version for any tasks that install a package (see `apt` Ansible docs) - add a `latest=yes` argument to any `apt` action (see Ansible docs) 1. Yes it’s completely safe. That’s the magic of Ansible and proper server configuration management :smile: --- ## Post 3 by @iamanders — 2015-12-09T08:18:45Z Great answer, thanks! Just curious, why isn’t upgrading packages in Trellis workflow/commands by default? --- ## Post 4 by @swalkinshaw — 2015-12-09T16:56:09Z Because it’s not deterministic. In fact it already isn’t :frowning: What we should be doing in Trellis is explicitly setting every package version and then periodically bumping them once the newer versions have been tested. --- ## Post 5 by @jsphpl — 2016-08-26T21:14:37Z So would it also be against the purpose of Trellis to set up unattended-upgrades for _security updates_? A security fix usually contains no incompatible changes, so in that regard it would still be somehow deterministic… --- ## Post 6 by @swalkinshaw — 2016-08-30T00:27:51Z Ideally you’d have a staging server to test security updates on. In reality it’s probably almost always fine to just apply these in production. Either way, _you should definitely keep your servers up to date with security updates_.