Manually verify packages Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.
Managing Platform versions To receive the most up-to-date software without introducing breaking changes, use the latest platform, pin your infrastructure to known versions, and update the pinned version manually when you’re ready to update.
Upgrading To upgrade your deployment, you must upgrade both the infrastructure components and agents.