It's currently not mentioned in the playbook but looking at the output
from `unattended-upgrade -v` is how we usually verify what's going on
and why packages are being blocked from auto-upgrades.

The output from that command, however, can be very confusing so it's
important to have some leads for what to look out for in the output.

howto/upgrades.md

@@ -161,9 +161,14 @@ following [fabric](howto/fabric) command:
 
     fab fleet.pending-upgrades --query='ALERTS{alertname="PackagesPendingTooLong",alertstate="firing"}'
 
-Look at the list of packages to be upgraded, and consider upgrading
-them manually, with Cumin (see below), or individually, by logging
-into the host over SSH directly.
+Look at the list of packages to be upgraded, and inspect the output from
+`unattended-upgrade -v` on the hosts themselves. In the output, watch out for
+lines mentioning `conffile prompt` since those often end up blocking more
+packages that depend on the one requiring a manual intervention because of the
+prompt.
+
+Consider upgrading the packages manually, with Cumin (see below), or
+individually, by logging into the host over SSH directly.
 
 Once package upgrades have been dealt with on a host, the alert will clear after
 the timer `prometheus-node-exporter-apt.timer` triggers. It currently runs every