Re: security.debian.org vs debian-lts respository

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On 2014-10-08 12:59, Matus UHLAR - fantomas wrote:
> > On 2014-10-04 11:30, Matus UHLAR - fantomas wrote:
> > > What about squeeze-updates (formerly volatile)?
> > > Are they still needed?
> > > Are security fixes applied to packages in squeeze or squeeze-updates?
>
> On 04.10.14 12:09, Adam D. Barratt wrote:
> > That question doesn't make sense. squeeze-updates is a strict subset 
> > of squeeze (technically squeeze+o-p-u, until a point release). There 
> > are never packages in squeeze-updates which are not also in 
> > squeeze+o-p-u.
>
> this is what I wanted to know and what I hoped for...
> I think I have already asked about that some time ago.

It's also explained in the dda mail that's linked to from every mail to 
debian-stable-announce@lists.

> > (In fact, I'm tempted to clear out squeeze-updates, as all of the 
> > packages have now been part of a point release and are thus in squeeze 
> > proper.)
>
> there still are versions in security that are lower in main, were they
> missed

[re-ordered slightly for ease of reply]

> openjdk-6-jre:
[...]
> and also others from openjdk-6 family:
> openjdk-6-jdk

Those are all the same source package. And, no, they weren't missed.

The openjdk-6 updates were unfortunately not able to be included, as 
mentioned in https://lists.debian.org/debian-announce/2014/msg00006.html 
(albeit only by DSA reference).

Specifically, because the openjdk-6 DSA packages for wheezy FTBFS on 
some architectures, wheezy currently contains 6b27-1.12.5-1. Accepting 
the squeeze-security packages as part of a point release would have led 
to oldstable having a higher version of the packages than stable on some 
architectures, which would be broken.

> davfs2:
>   Installed: (none)
>   Candidate: 1.4.6-1.1+squeeze1
>   Version table:
>      1.4.6-1.1+squeeze1 0
>         500 http://security.debian.org/ squeeze/updates/main amd64 
> Packages
>      1.4.6-1 0
>         500 http://ftp.sk.debian.org/debian/ squeeze/main amd64 
> Packages

This was also mentioned in the announcement, and again has 
version-related issues, as described in 
https://lists.debian.org/debian-security-announce/2014/msg00160.html

Unfortunately that update came too late to allow the situation in wheezy 
to be resolved before the point release.

> ... and even the vice versa, seems (left from before last point 
> release?)
>
> postgresql-client:
>   Installed: (none)
>   Candidate: 8.4.22-0+deb6u1
>   Version table:
>      8.4.22-0+deb6u1 0
>         500 http://ftp.sk.debian.org/debian/ squeeze-lts/main amd64 
> Packages
>      8.4.21-0squeeze1 0
>         500 http://ftp.sk.debian.org/debian/ squeeze/main amd64 
> Packages
>      8.4.20-0squeeze1 0
>         500 http://security.debian.org/ squeeze/updates/main amd64 
> Packages

I'm unsure what you believe the issue is here - 8.4.20-0squeeze1 was a 
security update, 8.4.21-0squeeze1 was not.

Regards,

Adam