Re: Security updates from BPO (was: Good practise for using etch-backports when lenny is released)
* Alexander Wirt <firstname.lastname@example.org> [2008-10-15 11:14:02 CEST]:
> Sven Velt schrieb am Mittwoch, den 15. Oktober 2008:
> > Alexander Wirt wrote:
> > > Emmanuel Kasper schrieb am Mittwoch, den 15. Oktober 2008:
> > > > [...]
> > > > From what I understand in this mail
> > > > http://lists.debian.org/debian-isp/2008/09/msg00046.html
> > > > if I keep etch-backports in my sources.list after Lenny is released, I
> > > > may get packages backported from Squeeze, which may break a later
> > > > etch2lenny upgrade
> > > Yes thats true.
I'd like to add my 2 cents that it though isn't what should be expected
by default. Backported packages from squeeze to etch-backports should
IMNSHO be discouraged and only be done with good reasoning, propably
along the same lines with that backports from unstable are accepted.
... doesn't change much that it most propably will happen, even if
proper reasoning is applied.
> > I'm *really* interested how many people out there put backports.org in
> > their sources.list and are running vulnerable versions because of *NOT*
> > getting "security updates" from BPO.
I am really trying to track security updates for BPO and am trying to
get it incorporated into the <http://security-tracker.debian.net/> for
having a good overview for people to check. Please be a bit patient
here, there will be a security team meeting at the end of november that
I plan to attend and I expect that I will be able to give more insight
into the issue from then.
For the time being I'm doing it manual and if you follow
backports-changes you most propably have noticed that by now. But yes,
it's no proper support yet neither.
> And later:
> If you want to get your packages from backports upgraded automatically the
> following entry in /etc/apt/preferences should be sufficient:
> Package: *
> Pin: release a=etch-backports
> Pin-Priority: 200
Right, but Alex, having this written just like that means that people
will adopt it and use it. It doesn't have anything next to it that using
pinning might be discouraged for given reasons. It has a brief hint on
the first page with respect that there are exceptions that are
backported from unstable, but I'd suggest that it can (and should) be
written more prominently. Given the huge pg8.2 thread recently did turn
up that it's not that obvious to others like it is to us that backports
is a moving target.
So long. :)