[andreas.krueger@dv-ratio.com: Need "apt-get dist-downgrade" or similar when Sarge comes out.]
Andreas has a point here, but I don't know how to deal with this
problem properly. Packages removed from sarge at some time which
were part of sarge before, will not be security-covered (after the
release).
Regards,
Joey
----- Forwarded message from "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com> -----
Date: Thu, 23 Sep 2004 14:12:21 +0200
From: "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com>
To: control@bugs.debian.org, 115787@bugs.debian.org, security@debian.org,
deity@lists.debian.org
Cc: 267880@bugs.debian.org
Subject: Need "apt-get dist-downgrade" or similar when Sarge comes out.
X-Folder: debian-security-private@lists.infodrom.org
tags 115787 + sarge
thank you, control@bugs.debian.org
By the time Sarge comes out officially, some packages will have been removed
from Sarge, that, at some point in time, have been a part of Sarge. For a
(likely) example, see bug 267880 of apt-proxy, i.e.,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267880 .
Personally, I really look forward to the official release of Sarge. E.g.,
there's this Sarge server waiting to be put into official production. One
of the things I look forward to as a really valuable service is, the Debian
security team's full coverage of the software I use.
Previously, I had hoped that the release of Sarge by Debian, and a subsequent
apt-get dist-upgrade
by myself, will eventually result in a stable, security-team-covered system.
I'm not so sure about that any more.
E.g., the team will surely not cover apt-proxy, obscure version 1.9.17, just
because that version has, at one point, been part of Sarge. On the other
hand, apt-get is not likely to downgrade apt-proxy from 1.9.17 to 1.3.6
(assuming that version makes it into the stable Sarge release).
In my opinion, the general feature wishlisted by bug 115787 would really
come in handy. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=115787
(and its merged equivalents) for details. (I'm not sure that it'll help
much, given the bug's humble "wishlist" priority, but I have taken the
liberty to tag that bug "sarge".)
Bug 158372 is one of the merge-syblings of 115787. At that bug, Jason
Gunthorpe commented, some two years ago, that the required functionalty will
not be provided as a feature of apt.
If that has not changed in the meantime, I would like to ask Debian to
clearly announce what else can be done by a Debian Sarge user to "stabilize"
her machine. In essence,
"After dist-upgrade from Woody (stable) to Sarge (stable), you have software
that is covered by the security team. To achive the same effect, Sarge
(testing) users need to do XXX, to change their machines to Sarge (stable)."
I very much hope there will be a better solution for "XXX", besides the
obvious "fdisk/mkfs/reinstall". If so, I have not yet found it documented
in any of the obvious places.
Regards, and thank you for providing fine software,
Andreas Krüger
--
Dr. Andreas Krüger, andreas.krueger@dv-ratio.com
GPG/PGP Fingerprint 8063 4A9B 362D 4220 A546 14C1 EA19 AADC FD44 5EB7
DV-RATIO Nordwest GmbH, Tel.: +49 211 577 996-0, Fax: +49 211 559 1617
Leostraße 31, 40545 Düsseldorf, Germany
----- End forwarded message -----
--
Unix is user friendly ... It's just picky about its friends.
Please always Cc to me when replying to me on the lists.
Reply to: