Re: Security updates from BPO (was: Good practise for using etch-backports when lenny is released)
Sven Velt schrieb am Mittwoch, den 15. Oktober 2008:
> Hi!
>
> Just *my* opinion...
>
> Alexander Wirt wrote:
> >
> > Emmanuel Kasper schrieb am Mittwoch, den 15. Oktober 2008:
> >
> > > [...]
> > > From what I understand in this mail
> > > http://lists.debian.org/debian-isp/2008/09/msg00046.html
> > > if I keep etch-backports in my sources.list after Lenny is released, I
> > > may get packages backported from Squeeze, which may break a later
> > > etch2lenny upgrade
> > Yes thats true. But since there is no automatic installation of updates from
> > etch-bpo there should be no problem (only if you use that stupid pinning
> ^^^^^^^^^^^^^^^^^^^^^^!!!!!!^^^^^^^^
> > mechanism, but that is your problem), so you just have to check the version
> ^^^^^^^^^^^^^^^^^^^^^^^!!!!!!!!!!!!^
> > before you install or upgrade anything from bpo.
>
> ... a little bit upset by your comment ....
>
> IIRC BPO started with automatic updates of installed packages and there
> was no discussion about changing this behaviour, right? Maybe I just
> missed this discussion, so if there was one please give my a hint.
http://lists.backports.org/lurker-bpo/message/20060814.093117.ab4c6b26.en.html
its since 2006 and there were several discussions about pinning and
automatic updates on this list.
>
> I'm *really* interested how many people out there put backports.org in
> their sources.list and are running vulnerable versions because of *NOT*
> getting "security updates" from BPO.
There fault:
Using backports.org is very simple:
1. Add this line
deb http://www.backports.org/debian etch-backports main contrib
non-free
to your /etc/apt/sources.list.
2. Run apt-get update
3. All backports are deactivated by default. If you want to install
something from backports run:
apt-get -t etch-backports install “package”
Of course, you can use aptitude as well:
aptitude -t etch-backports install “package”
And later:
If you want to get your packages from backports upgraded automatically the
following entry in /etc/apt/preferences should be sufficient:
Package: *
Pin: release a=etch-backports
Pin-Priority: 200
>
> Yes, I know that people who are using BPO *should* read this mailing
> list but I don't think 5% or more are doing so... So from a BPO user
> point of view this isn't really what he/she expects.
Just reading the instructions on the webppage would be enough.
Alex
--
Alexander Wirt, formorer@formorer.de
CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
Reply to: