Should I be installing system updates on my hot wallet Ubuntu computer?

[Simcom]

What do you guys think is the best for security, installing updates or not updating.  I'm talking about system updates, not armory updates.  I am running Ubuntu 14.04.

[Simcom]

I think using a hot wallet is insecure (unless we are talking about pocket change here).

Might as well keep the OS up to date.

Sorry I was talking about my watch-only wallet, the cold wallet is on a perma offline computer.  So you think keeping the OS up to date is better then? I was worried maybe I could pick up some sort of vulnerability by updating lots of things.

[etotheipi]

Sorry I was talking about my watch-only wallet, the cold wallet is on a perma offline computer.

Ahh, I see. Very good.

So you think keeping the OS up to date is better then? I was worried maybe I could pick up some sort of vulnerability by updating lots of things.

I would (and do) keep my OS updated. Some of the updates fix vulnerabilities.

We've tried to make it so that if the online computer is totally under the control of an attacker, there's still minimal risk to the offline computer.  You obviously want the online computer to be free of malware, and so you should take preventative measures, but it's still the offline computer that matters.  And the attack surface is pretty slim.

People have asked if the offline computer should be updated with OS updates, etc.  My attitude on this is:  if you are going to keep the offline computer updated, you are introducing far more risk than you are reducing:  you will be regularly transferring data from your potentially-compromised online system, and executing it with root privileges on your offline computer (to install the updates).  This seems to introduce a recurring (weekly?) channel for remote, root execution by the online computer to the offline computer.  Even without a fancy USB virus, this could be exploited with someone pushing a coin-stealing chunk of code into a system library/service update silently.  It doesn't have to persist for long to compromise a lot of people who are diligent about updating their offline computer.  

Personally, I'd feel safer using a version of Linux/Ubuntu that has been around for a while (perhaps before Bitcoin was worth $billions), and has a well-known verifiable CD/DVD hash.  I believe the attack vector of such an OS--even if there are known vulnerabilities--is far smaller than having users regularly execute code transferred from their online computer with root privileges.

Also, updates can also introduce vulnerabilities.  It might be the case that vulnerabilities are reduced on average, but if you are updating software with all sorts of new features, you might actually be adding more vulnerabilities than you are fixing.