diff --git a/policies/module-types/system-updates/README.md b/policies/module-types/system-updates/README.md
index 82330648a7..0f311534cd 100644
--- a/policies/module-types/system-updates/README.md
+++ b/policies/module-types/system-updates/README.md
@@ -170,4 +170,8 @@ The APT support is enabled with the `apt` feature:
 
 ```shell
 cargo build --release --features=apt
-```
\ No newline at end of file
+```
+
+### Security
+
+This module needs to run as root, and protects its database with `600` permissions.
diff --git a/policies/module-types/system-updates/src/db.rs b/policies/module-types/system-updates/src/db.rs
index 991051254f..1bf526bc4b 100644
--- a/policies/module-types/system-updates/src/db.rs
+++ b/policies/module-types/system-updates/src/db.rs
@@ -122,11 +122,15 @@ impl PackageDatabase {
         rudder_debug!("Running pid migration");
         let r = self
             .conn
-            .execute("select pid from update_events limit 1", ());
-        if r.is_err() {
-            rudder_debug!("Adding the pid column");
-            self.conn
-                .execute("alter table update_events add pid integer", ())?;
+            .query_row("select pid from update_events limit 1", [], |_| Ok(()));
+        match r {
+            Ok(_) => (),
+            Err(rusqlite::Error::QueryReturnedNoRows) => (),
+            Err(_) => {
+                rudder_debug!("Adding the pid column");
+                self.conn
+                    .execute("alter table update_events add pid integer", ())?;
+            }
         }
         Ok(())
     }
@@ -372,6 +376,8 @@ mod tests {
 
         let mut db = PackageDatabase::open_existing(conn);
         db.migration_add_pid().unwrap();
+        // can run twice
+        db.migration_add_pid().unwrap();
 
         let conn = db.into_connection();
         let r = conn.execute("select pid from update_events", ());