On 2014-10-08 15:07, Matus UHLAR - fantomas wrote:
What about squeeze-updates (formerly volatile)? Are they still needed?Are security fixes applied to packages in squeeze or squeeze-updates?That question doesn't make sense. squeeze-updates is a strict subset of squeeze (technically squeeze+o-p-u, until a point release). There are never packages in squeeze-updates which are not also in squeeze+o-p-u.this is what I wanted to know and what I hoped for... I think I have already asked about that some time ago.On 08.10.14 13:32, Adam D. Barratt wrote:It's also explained in the dda mail that's linked to from every mail to debian-stable-announce@lists.hmmm I did not get this, sorry. I was asking, when there are different packages in squeeze and squeeze-updates (volatile), to which one are security patches applied.
It's easier if we stop talking about squeeze-updates.The real question is "if there are different packages in squeeze and squeeze-proposed-updates, to which one are security patches applied" and the obvious answer is squeeze-proposed-updates, as that's what will become squeeze at the next point release. (If the package in -updates is newer than squeeze, then it is either the same as or older than the package in proposed-updates; if the package in -updates is the same or older than squeeze then it's irrelevant).
[...]and also others from openjdk-6 family:Those are all the same source package. And, no, they weren't missed.The openjdk-6 updates were unfortunately not able to be included, as mentioned in https://lists.debian.org/debian-announce/2014/msg00006.html (albeit only by DSA reference).Specifically, because the openjdk-6 DSA packages for wheezy FTBFS on some architectures, wheezy currently contains 6b27-1.12.5-1. Accepting the squeeze-security packages as part of a point release would have led to oldstable having a higher version of the packages than stable on some architectures, which would be broken.Is this still applicable? We only have 2 architectures in LTS and if we want to clear security updates, it would be good that security updates were still available...
Updating openjdk-6 in LTS to a version > 6b27-1.12.5-1 will still cause the same problem, yes. I haven't checked the archive constraints for -lts, but certainly having it contain more recent packages than wheezy would at the very least break the principle of least surprise.
... and even the vice versa, seems (left from before last point release?)postgresql-client: Installed: (none) Candidate: 8.4.22-0+deb6u1 Version table: 8.4.22-0+deb6u1 0500 http://ftp.sk.debian.org/debian/ squeeze-lts/main amd64 Packages8.4.21-0squeeze1 0500 http://ftp.sk.debian.org/debian/ squeeze/main amd64 Packages8.4.20-0squeeze1 0500 http://security.debian.org/ squeeze/updates/main amd64 PackagesI'm unsure what you believe the issue is here - 8.4.20-0squeeze1 was a security update, 8.4.21-0squeeze1 was not.the point was just that it's apparently useless to have older version insecurity updates than there's in main archive....
Ah, okay. That's been the case for $ever though - packages aren't removed from security just because they've been superseded in the main archive.
Regards, Adam