How to Enable Automatic Security Updates on Arch Linux

by İbrahim Korucuoğlu ( @siberoloji) | Sunday, April 13, 2025

Categories:

Arch Linux

6 minute read

Arch Linux is renowned for its simplicity, cutting-edge packages, and rolling-release model. However, this do-it-yourself nature comes with the responsibility of managing system updates manually. Unlike some other distributions, Arch does not enable automatic updates by default—especially for security patches. This is by design, aligning with the Arch philosophy of giving full control to the user.

That said, it is possible to automate security updates on Arch Linux in a safe and controlled manner. This article will guide you through several methods for enabling automatic updates, focusing on security, stability, and customizability. Whether you’re running Arch on a personal laptop, a home server, or in production, this guide aims to help you reduce the manual overhead of keeping your system secure.

Why Automate Security Updates?

Security updates are essential for protecting your system against known vulnerabilities. These can range from kernel exploits and privilege escalation bugs to issues in web browsers, network services, or even desktop applications. If you don’t regularly apply updates, you risk leaving your system open to attack.

Here are a few reasons why enabling automatic security updates might be a good idea:

Reduce attack surface: Vulnerabilities can be patched before being exploited.
Improve uptime and reliability: Automated patching helps ensure long-term system health.
Ideal for unattended systems: Useful for servers or IoT devices that are not updated frequently by hand.
Consistency: Automated scripts can enforce consistent update policies.

However, automatic updates also carry some risk—especially on a rolling-release distribution like Arch. Unattended updates might cause breakage if new versions of packages introduce changes or remove features. This is why it’s critical to approach automation carefully.

Step 1: Understanding the Risks and Scope

Before diving in, you should understand:

Arch doesn’t separate security updates from general updates: Unlike Ubuntu or Debian, Arch’s repositories don’t distinguish between security and feature updates. You’ll be updating all packages unless you filter them yourself.
No official “unattended-upgrades” tool: Arch has no built-in mechanism like unattended-upgrades on Debian. You’ll need to script and configure your own solution.

Let’s look at a few strategies for setting up automatic updates on Arch Linux.

Step 2: Set Up `reflector` for Fast and Reliable Mirrors

Before enabling automatic updates, it’s crucial to ensure you’re using the best mirrors. Slow or outdated mirrors can result in update failures.

Install reflector:

sudo pacman -S reflector

Then generate a fresh mirror list sorted by speed:

sudo reflector --latest 20 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

You can run this manually or set up a systemd timer to keep it updated automatically.

Step 3: Install and Configure `pacman` Hooks (Optional)

Pacman does not automatically notify or log security-specific changes. However, there’s a project called Arch Linux Security Tracker ( https://security.archlinux.org/) which maintains a feed of known security issues.

You can use tools like arch-audit or arch-security-tracker to monitor your system for known security vulnerabilities.

Install arch-audit:

sudo pacman -S arch-audit

Then run:

arch-audit

This will compare your installed packages to known security advisories. While this doesn’t enable automatic patching, it helps you stay informed and can be scripted to email you or trigger an update script if issues are found.

Step 4: Create an Auto-Update Script with `pacman`

Here’s a simple shell script to automatically update all packages:

#!/bin/bash
# /usr/local/bin/auto-update.sh

echo "Starting system update: $(date)"

# Update package databases
sudo pacman -Sy

# Full system upgrade
sudo pacman -Syu --noconfirm

# Clean the cache (optional)
sudo pacman -Sc --noconfirm

echo "System update completed: $(date)"

Make it executable:

sudo chmod +x /usr/local/bin/auto-update.sh

This script updates the entire system with no user interaction (--noconfirm), which is necessary for automation. Be careful—this will apply all updates.

Step 5: Automate the Script with systemd Timer

Using systemd, we can schedule the update script to run automatically, such as every day or every week.

Create the systemd service unit

sudo nano /etc/systemd/system/auto-update.service

Add the following content:

[Unit]
Description=Automatic System Update

[Service]
Type=oneshot
ExecStart=/usr/local/bin/auto-update.sh

Create the timer unit

sudo nano /etc/systemd/system/auto-update.timer

Add the following:

[Unit]
Description=Run automatic system update daily

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

Then enable the timer:

sudo systemctl daemon-reexec
sudo systemctl enable --now auto-update.timer

You can check the status with:

systemctl list-timers | grep auto-update

This setup runs the update script once a day.

Step 6: Monitor Logs and Notifications

The output of systemd services is available in the journal. To check if the updates ran correctly:

journalctl -u auto-update.service

To ensure you’re aware of any issues (like package conflicts or update failures), you might consider configuring email alerts or push notifications using tools like:

mailx or msmtp (send logs via email)
ntfy, pushover, or gotify (for push notifications)

You could add a section at the end of your update script like:

journalctl -u auto-update.service --since "1 hour ago" | mail -s "Arch Update Log" your-email@example.com

Optional: Use `paru` or `yay` for AUR Updates

If you rely heavily on the AUR (Arch User Repository), your script can include AUR helpers like yay or paru:

yay -Syu --noconfirm

However, automating AUR updates is riskier, since AUR packages are user-contributed and might contain breaking changes. Use this with caution, especially on production systems.

Step 7: Consider Using `snap-pac` for Rollback Safety

Arch doesn’t have a built-in rollback mechanism. One way to make auto-updates safer is to install snap-pac, which takes a Btrfs snapshot (if using Btrfs with Snapper) before and after each pacman transaction.

Install it:

sudo pacman -S snap-pac

This way, if an automated update breaks your system, you can boot into a previous snapshot and restore it.

Best Practices and Tips

Test your script manually first: Before automating, make sure your update script works as expected.
Avoid unnecessary flags: Avoid using --force or --overwrite unless you know what you’re doing.
Back up critical systems: Always have a backup, especially for remote servers or production environments.
Monitor Arch mailing lists and Reddit: The Arch community is active and quick to report if any update causes major breakage.

Conclusion

While Arch Linux doesn’t come with automatic security updates out of the box, you can implement a secure and stable system using a combination of update scripts, systemd timers, and monitoring tools. Automating updates—especially on a rolling-release system—requires caution and awareness, but it can save time and improve your system’s security posture.

By following this guide, you’ll be well-equipped to keep your Arch system automatically up-to-date with minimal manual intervention, while still retaining the transparency and control that Arch is known for.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

How to Harden the Linux Kernel on Arch Linux >