I am in the process of configuring a production web server running Debian 5.0. How do you keep an apt-based distro up to date. Is there any best practice or magical ways of doing it? Logging in via ssh and running apt-get upgrade manually seems unrational.
EDIT: After some discussion in the comments I am now deciding to upgrade the server manually but would like to know how to keep up to date with what packages to apply.
Automatically updating your server could be problematic; the installation could fail, the new package could have slightly different behavior (debian is pretty good at avoiding this), or a condition might have changed which only becomes evident when package installation forces a service restart, etc. So I would advise against unattended package installs.
That being said, you could look into cron-apt, which you can configure to do just that, or to download the packages in advance, and alert you about the available updates so that all you have to do is log in and install them.
Additionally/alternatively, you could subscribe to debian-security-announce, which sends out notices of new security updates.