[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some myths regarding apt pinning


Thanks you for your interesting review of apt pinning and their security
implications.  I think the real mith is "novice user can *upgrade*
system to the *latest* unstable distribution by apt-get."

I saw many unexperienced users try to *upgrade* to the unstable and
getting into major truble.  I think advocating the use of apt pinning is
useful to reduce their pains.

On Fri, Jan 24, 2003 at 02:59:17PM +0100, Adrian Bunk wrote:
> Since some people seem to thing apt pinning can solve all problems with 
> outdated packages in stable I want to explain why this is wrong:
> apt pinning is good if you are running testing but need a package (e.g.
> a security update) from unstable.

This is generally true and I am doing this now.  But this really depends
on status of debian archive.  Usually few weeks after new major stable
release, I think it is useful to run stable with a bit of mix from
testing since there are many totally new packages coming into testing
without getting flagged as RC fast enough :-)  After all apt pinning is
a user tool to throttle our exposures to testing/unstable :-)  It does
not cure bad packages.

> There are people that use apt pinning to install packages from unstable 
> on a woody system. This is bad because nearly every installation of a 
> package from unstable pulls a new libc6 and it's also possible that it 
> pulls a new Perl and Python. Then some _very_ essential components of 
> your system are upgraded to the potentially more buggy versions in 
> unstable.

We can always run "apt-get install -t unstable -u randompackage" and
decide.  Or "-d" option to download and read the changelog before

If upgrade of libc6, Perl and Python are threat to the system, certainly
apt pinning is not for those systems.  I thought the standard procedure
for this type of environment is:

1. Put deb-src for unstable and/or testing
2. Use stable or testing environment

      # apt-get build-dep randompackage
      # apt-get source -b randompackage

That is what I recommend in my reference for the servers if one has some
compelling reasons to install a new version.

Since I use Debian for mostly for WS, I usually do not bother to do this
on my system but simply use apt pinning.

> >>From a security point of view woody + libc6 from unstable is worse than 
> any other possibility. Consider there's another security bug in libc6. 
> The fixed version for stable has a lower version number than the version 
> on your system and you won't get the update. This is worse than the 
> situation when you are running one of stable/unstable/testing:
> stable:
> Stable users get security updates from security.debian.org.
> unstable:
> A fixed package for unstable is usually at about as fast as the fix for 
> stable available.
> testing:
> Every user of testing knows that he must read debian-security-announce
> and if needed install fixes from unstable since it can take an arbitrary
> amount of time until security fixes from unstable enter testing (most
> likely none of fixes from the last 70 security advisories is in
> testing).

Good point.  This tells us that the servers placed on Internet need to
follow your guidance of using stable/security.  There is no argument on
this end.

But for most workstations, how fanatic we have to keep our system
secure by simply installing security patches which are usually
buffer overflow fixes.  These risks can be minimized setting up
firewall and turning off risky services.  I also think without the
other care, system will be insecure even with the latest secured
packages.  Browsers and mail clients can be at risk but it is usually run
as a normal user so damages are limited in GNU/Linux.  

For all those new GNOME and KDE apps, I feel safer using the newer
version since it has been out in public in shorter time which makes it
less likely to get exploit assuming both version has same amount of
bugs.  If you are fanatic about exploits, we should not be using these
applications anyway :-)  But aren't they pretty. 

PS: I used to use your backport kernels and utilities in potato days.
    Thanks for your fine works.
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +++++
        Osamu Aoki <osamu@debian.org>   Cupertino CA USA, GPG-key: A8061F32
 .''`.  Debian Reference: post-installation user's guide for non-developers
 : :' : http://qref.sf.net and http://people.debian.org/~osamu
 `. `'  "Our Priorities are Our Users and Free Software" --- Social Contract

Reply to: