@feld
Also the Salt is an interesting case because it comes from a 3rd party repo which won't be upgraded by unattended-upgrade if it's not whitelisted.
A lot of such nuances in infra security...