What is debian-sys-maint used for?
One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.
See the file /etc/logrotate.d/mysql-server
It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.
Here is the quote from the README.Debian
* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.
What is the easiest way to restore it after I've lost it?
The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint.
You could use a command like this to build a SQL file that you can use later to recreate the account.
mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql
Is the password in
/etc/mysql/debian.cnf already hashed
The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).
(Warnings regarding automatic upgrades have already been voiced by previous posters.)
Given the track record of the Debian Security team in the last few years, I consider the risks of broken upgrades far less than the benefit of having automatic updates on seldom-visited systems.
Debian Lenny comes with unattended-upgrades, which originated from Ubuntu and is considered to be the defacto solution for unattended upgrades for Debian starting from Lenny/5.0.
To get it up and running on a Debian system you need to install the unattended-upgrades package.
Then add these lines to /etc/apt/apt.conf:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
(Note: In Debian Squeeze/6.0 there is no /etc/apt/apt.conf. The preferred method is to use the following command, which will create the above lines in /etc/apt/apt.conf.d/20auto-upgrades:)
sudo dpkg-reconfigure -plow unattended-upgrades
A cron job is then run nightly and checks if there are security updates which need to be installed.
Actions by unattended-upgrades can be monitored in /var/log/unattended-upgrades/. Be wary, that for kernel security fixes to become active, you need to reboot the server manually. This can also be done automatically in course of a planned (e.g. monthly) maintenance window.
Best Answer
I like setting up apticron. It willnotify by email and download, not install, the packages.