[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[andreas.krueger@dv-ratio.com: Need "apt-get dist-downgrade" or similar when Sarge comes out.]

Andreas has a point here, but I don't know how to deal with this
problem properly.  Packages removed from sarge at some time which
were part of sarge before, will not be security-covered (after the



----- Forwarded message from "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com> -----

Date: Thu, 23 Sep 2004 14:12:21 +0200
From: "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com>
To: control@bugs.debian.org, 115787@bugs.debian.org, security@debian.org,
Cc: 267880@bugs.debian.org
Subject: Need "apt-get dist-downgrade" or similar when Sarge comes out.
X-Folder: debian-security-private@lists.infodrom.org

tags 115787 + sarge
thank you, control@bugs.debian.org

By the time Sarge comes out officially, some packages will have been removed 
from Sarge, that, at some point in time, have been a part of Sarge.  For a 
(likely) example, see bug 267880 of apt-proxy, i.e., 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267880 .

Personally, I really look forward to the official release of Sarge.  E.g., 
there's this Sarge server waiting to be put into official production.  One 
of the things I look forward to as a really valuable service is, the Debian 
security team's full coverage of the software I use.

Previously, I had hoped that the release of Sarge by Debian, and a subsequent

   apt-get dist-upgrade

by myself, will eventually result in a stable, security-team-covered system.

I'm not so sure about that any more.

E.g., the team will surely not cover apt-proxy, obscure version 1.9.17, just 
because that version has, at one point, been part of Sarge.  On the other 
hand, apt-get is not likely to downgrade apt-proxy from 1.9.17 to 1.3.6 
(assuming that version makes it into the stable Sarge release).

In my opinion, the general feature wishlisted by bug 115787 would really 
come in handy. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=115787 
(and its merged equivalents) for details. (I'm not sure that it'll help 
much, given the bug's humble "wishlist" priority, but I have taken the 
liberty to tag that bug "sarge".)

Bug 158372 is one of the merge-syblings of 115787.  At that bug, Jason 
Gunthorpe commented, some two years ago, that the required functionalty will 
not be provided as a feature of apt.

If that has not changed in the meantime, I would like to ask Debian to 
clearly announce what else can be done by a Debian Sarge user to "stabilize" 
her machine. In essence,

"After dist-upgrade from Woody (stable) to Sarge (stable), you have software 
that is covered by the security team.  To achive the same effect, Sarge 
(testing) users need to do XXX, to change their machines to Sarge (stable)."

I very much hope there will be a better solution for "XXX", besides the 
obvious "fdisk/mkfs/reinstall".  If so, I have not yet found it documented 
in any of the obvious places.

Regards, and thank you for providing fine software,

Andreas Krüger
Dr. Andreas Krüger, andreas.krueger@dv-ratio.com
GPG/PGP Fingerprint 8063 4A9B 362D 4220 A546  14C1 EA19 AADC FD44 5EB7
DV-RATIO Nordwest GmbH, Tel.: +49 211 577 996-0, Fax:  +49 211 559 1617
Leostraße 31, 40545 Düsseldorf, Germany

----- End forwarded message -----

Unix is user friendly ...  It's just picky about its friends.

Please always Cc to me when replying to me on the lists.

Reply to: