[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Some myths regarding apt pinning



Since some people seem to thing apt pinning can solve all problems with 
outdated packages in stable I want to explain why this is wrong:

apt pinning is good if you are running testing but need a package (e.g.
a security update) from unstable.

There are people that use apt pinning to install packages from unstable 
on a woody system. This is bad because nearly every installation of a 
package from unstable pulls a new libc6 and it's also possible that it 
pulls a new Perl and Python. Then some _very_ essential components of 
your system are upgraded to the potentially more buggy versions in 
unstable.

>From a security point of view woody + libc6 from unstable is worse than 
any other possibility. Consider there's another security bug in libc6. 
The fixed version for stable has a lower version number than the version 
on your system and you won't get the update. This is worse than the 
situation when you are running one of stable/unstable/testing:

stable:
Stable users get security updates from security.debian.org.

unstable:
A fixed package for unstable is usually at about as fast as the fix for 
stable available.

testing:
Every user of testing knows that he must read debian-security-announce
and if needed install fixes from unstable since it can take an arbitrary
amount of time until security fixes from unstable enter testing (most
likely none of fixes from the last 70 security advisories is in
testing).


cu
Adrian

BTW: Please Cc me on replies.

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



Reply to: