[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates from BPO (was: Good practise for using etch-backports when lenny is released)

Sven Velt schrieb am Mittwoch, den 15. Oktober 2008:

> Hi!
> Just *my* opinion...
> Alexander Wirt wrote:
> > 
> > Emmanuel Kasper schrieb am Mittwoch, den 15. Oktober 2008:
> > 
> > > [...]
> > > From what I understand in this mail
> > > http://lists.debian.org/debian-isp/2008/09/msg00046.html
> > > if I keep etch-backports in my sources.list after Lenny is released, I  
> > > may get packages backported from Squeeze, which may break a later  
> > > etch2lenny upgrade
> > Yes thats true. But since there is no automatic installation of updates from
> > etch-bpo there should be no problem (only if you use that stupid pinning
>                                       ^^^^^^^^^^^^^^^^^^^^^^!!!!!!^^^^^^^^
> > mechanism, but that is your problem), so you just have to check the version
>   ^^^^^^^^^^^^^^^^^^^^^^^!!!!!!!!!!!!^
> > before you install or upgrade anything from bpo. 
> ... a little bit upset by your comment ....
> IIRC BPO started with automatic updates of installed packages and there
> was no discussion about changing this behaviour, right? Maybe I just
> missed this discussion, so if there was one please give my a hint.

its since 2006 and there were several discussions about pinning and
automatic updates on this list. 
> I'm *really* interested how many people out there put backports.org in
> their sources.list and are running vulnerable versions because of *NOT*
> getting "security updates" from BPO.
There fault:


	Using backports.org is very simple:

	1. Add this line

	deb http://www.backports.org/debian etch-backports main contrib

	to your /etc/apt/sources.list.

	2. Run apt-get update

	3. All backports are deactivated by default. If you want to install
	something from backports run:

	apt-get -t etch-backports install “package”

	Of course, you can use aptitude as well:

	aptitude -t etch-backports install “package” 

And later: 

 If you want to get your packages from backports upgraded automatically the
 following entry in /etc/apt/preferences should be sufficient:

 Package: *
 Pin: release a=etch-backports
 Pin-Priority: 200

> Yes, I know that people who are using BPO *should* read this mailing
> list but I don't think 5% or more are doing so... So from a BPO user
> point of view this isn't really what he/she expects.
Just reading the instructions on the webppage would be enough. 

Alexander Wirt, formorer@formorer.de 
CC99 2DDD D39E 75B0 B0AA  B25C D35B BC99 BC7D 020A

Reply to: