Funny, I've been able to update off the standard package repos

yrro · on Dec 30, 2013

You may have updated the package, but did you really boot from it? Run 'uname -v' to check:

    $ uname -v
    #1 SMP Debian 3.2.46-1

DigitalOcean systems do not boot from the kernel image installed within your VM; they are externally provided.

This reminds me of something I omitted from my original rant. I've actually had to pin the kernel image package that I've got installed on my VM to the version that DigitalOcean provide:

    linux-image-3.2.0-4-686-pae:
      Installed: 3.2.46-1
      Candidate: 3.2.51-1
      Version table:
         3.2.51-1 0
            550 http://http.debian.net/debian/ wheezy/main i386 Packages
         3.2.46-1+deb7u1 0
            550 http://security.debian.org/ wheezy/updates/main i386 Packages
     *** 3.2.46-1 0
            100 /var/lib/dpkg/status

Because an unforseen ABI break in some netfilter module means that if I install the newest package, then reboot, one of the modules used by my iptables setup fails to load. ferm notices this and rolls back my firewall configuration--to the default state which allows all traffic. I noticed this, but I wonder how many other customers with similar setups did not, and hence have not noticed that their iptables rules are incorrect or absent.