On Ubuntu Xenial, apt-get fails silently when security update server cannot be reached. This state could be detected by scanning the apt-get output afterwards. But manually adding workarounds to each apt-get invocation in production automation is prone to error, thus leaving machines without security updates.
Expected behaviour (e.g.):
* 0 - all OK
* 1 - temporary failure (e.g. network)
* 2 - permanent failure
Test:
* Change your update server IP in /etc/hosts to something unreachable
* Run apt-get update (might take a while)
* Check exit status
$ lsb_release -r -d
Description: Ubuntu 16.04.3 LTS
Release: 16.04
rfiedler@n3ahit1403:~$
ii apt 1.2.24 amd64 commandline package manager
Really? It should print that it could not reach the server. Transient errors like that are ignored success-state wise so you don't end up with tons of error messages when you are offline or your connection is broken. I want to rework this eventually to give more control on what constitutes an error, but that's a long way off.