Upgrading multiple Debian servers at once

• Debian patterns for Puppet.

• Are configuration management tools (Puppet, Chef) capable of keeping installed packages up to date?

• Wikipedia's blog entry and link to their repository (all the configs except the passwords).

Sounds like a good enough reason to actually install the unattended-upgrades package as part of your default build and retroactively on your existing servers. As the description itself says:

This package can download and install security upgrades automatically and unattended, taking care to only install packages from the configured APT source, and checking for dpkg prompts about configuration file changes.

This script is the backend for the APT::Periodic::Unattended-Upgrade option.

Once installed all you need to do is modify /etc/apt/apt.conf.d/50unattended-upgrades to taste to specify which Origins to process upgrades for along with blacklisting specific packages not to upgrade unattended. You can also specify an email address to send reports out to and whether or not to reboot automatically if a package requests one after upgrading.

I use this for all the remote servers I maintain for clients and have it send the reports to me so that I don't have to log into them all one by one and perform the upgrades.