Unattended-upgrades? Manually in response to security mailing lists? Configuration management? Teardown and rebuild at fixed intervals?<p>If you're uncomfortable with how it's currently done, what would you change?
Bare metal, yum update. VM's, new image build from a pipeline.<p>Currently, yum is a problem because people tainted repos and didn't understand rpm dependency conundrums they could get in to. I warned them several times. Now it takes a massive team of people to update the OS. It's even more complicated than that, but I would need to write a blog about it.<p>Image builds at least force them to fix the conundrums prior to reaching the staging or test areas.<p>What would I change? None of what I stated is a technical problem. Bare metal, VM's and containers can all be as easy to update and maintain.