unspawn, you make a lot of sense here
I seldomly get accused of just that...
As far as I know there's no 1:1 linkage between updating through any of the package management tools and the release of FC security bulletins. The easiest ways in my opinion are to monitor security mailing lists like
fedora-security-list@redhat.com (
https://www.redhat.com/mailman/listi...-security-list) or check sites like
http://fedoranews.org/cms/Security or
http://fedoranews.org/newsalert/ or Sites/RSS/email aggregations from US-CERT (slow), SANS, SecurityFocus, Secunia and such and *act* on it when updates are released. Keeping the inbound queue as much empty as possible helps make resolving dependencies less problematic. If you mean using package management tools then the only thing that comes to mind is reviewing changelogs when checking for updates. That's gonna be a nasty task ;-p As far as I know only Yum has a plugin to review changelogs on the fly (separate Yum tools package) and I haven't tested it. RPM itself of course has a switch to display changelogs (--changelog). HTH
Other than that it's just using common sense, forgetting "nice to haves" and concentrating on the "must haves". Base system items like the Kernel and libraries should always be kept up to date. Other than that it depends on the role and position of the box, any services and applications that can be interfaced with like the AMP in LAMP including PHP-based (or related) applications, other network-facing daemons (even disabled), services and applications with a wobbly security track record.
