Re: Misconfigured bookworm upgrades

[Jonathan McDowell <noodles@earth.li>]

On Fri, Feb 28, 2025 at 10:57:31AM +0000, Colin Watson wrote:
> Ian Fleming wrote: "Once is happenstance.  Twice is coincidence.  The third
> time it's enemy action."  I've only got as far as coincidence so far, but
> it's still enough to make me wonder.
> 
> The following bugs on openssh both report problems with applying a recent
> security update on bookworm, because it depends on a libssl3 version that
> was added to bookworm in a point release:
> 
>   https://bugs.debian.org/1098272
>   https://bugs.debian.org/1099091
> 
> This is clearly (to my mind) a misconfiguration, so I've rejected them as
> bugs on openssh: we don't support installing only security updates and never
> upgrading to packages from new point releases, because those aren't
> rigorously separate streams: security updates are built against the stable
> suite and so may pick up versioned dependencies against it.  But seeing two
> users who seem to have their systems configured this way makes me wonder
> what's going on.  Does anyone know of documentation somewhere that
> recommends configuring stable systems this way?

As a datapoint, I have not seen documentation that recommends doing
this, but I have on occasion removed the main archive from my
sources.list leaving only security updates. I have done this post point
release when I do not yet have a window scheduled for a reboot post
point release update, but do want to get security fixes.

It did not occur to me that such a thing could be considered a
misconfiguration, I've always assumed that libraries wouldn't change
enough in stable that this sort of thing would occur.

J.

-- 
101 things you can't have too much of : 36 - Spare video tapes.