Re: Package management and security
Title: Re: Package management and security
The security team looks at the diffs for the patch to version 2 of the software, identifies the parts that fix the bug in version 1 and manually back port the bug fix to version 1. We end up with a Debian specific version that doesn’t introduce new dependencies or features. This works with great success (through a huge amount of effort) the majority of the time. Some packages are more difficult to do this with then others (i.e. Firefox – you can search the archives of this list for specific details about why).
On 6/8/07 3:56 AM, "Frédéric PICA" <firstname.lastname@example.org> wrote:
Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ?
Lets say debian stable has foo-1.0 package.
I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason.
Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ...
And now, the author release version 2.1 , a critical security fix, there is a flaw found from version 1 to 2.
The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel.
As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ?
Even if in 99% of the time, this will work great, I can't let this 1%.
I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time)
I am right ?
2007/6/7, Riku Valli <email@example.com>:
Frédéric PICA wrote:
> Thanks for your answer,
> So I need to do an apt-get dist-upgrade in my cron job to be sure to
> always have the latest security fixes ?
> What's the risk to have a needed package uninstalled by that way ?
> My goal is to have the latest security fixes for a server, but I have
> to be sure that dist-upgrade will not broke my server by removing
> needed pacakges, for example mod_php for apache or things like that.
> 2007/6/7, Riku Valli <firstname.lastname@example.org
> Frédéric PICA wrote:
> > Greets,
> > I saw in 'man apt-get' that using apt-get upgrade does not
> install new
> > packages or remove an already installed package.
> > Is it possible that I did'nt get the latest security fixes using
> > apt-get upgade in a cron job ?
> > I think particularly about security fixes that can't be retro-ported
> > to the debian stable version and needs to upgrade the package to the
> > latest author available version, what's going on if the package
> > dependencies changes ? Does the security patched will be installed
> > with it's new dependencies anyway or does the package will not be
> > upgraded ?
> > Thanks for your help,
> > FP
> apt-get upgrade only upgrade your packages for newer version. When
> package is upgraded this way at it need new extra packages, then
> can't upgrade your package. You must install it.
> -- Riku
In normal case when you used Debian stable. You made only update/upgrade
and possible need switch -y (assume yes for every question). At stable
debencies normally never changes. This dist-upgrade is (at stable) only
used when you updated Debian releases from older to newer.
Older stable there was only one kernel upgrade which needed manually
Maybe this is better explained man aptitude, see below.
Upgrades installed packages to their most recent version.
packages will not be removed unless they are unused (see the
section "Managing Automatically Installed Packages" in the
reference manual); packages which are not currently installed
not be installed.
If a package cannot be upgraded without violating these
constraints, it will be kept at its current version. Use the
dist-upgrade command to upgrade these packages as well.
Upgrades installed packages to their most recent version,
or installing packages as necessary. This command is less
conservative than upgrade and thus more likely to perform
unwanted actions. Users are advised to either use upgrade
instead or to carefully inspect the list of packages to be
installed and removed.