[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [andreas.krueger@dv-ratio.com: Need "apt-get dist-downgrade" or similar when Sarge comes out.]

[taking the original submitter to CC]

On Thu, Sep 23, 2004 at 11:49:16PM +0200, Martin Schulze wrote:
> Andreas has a point here, but I don't know how to deal with this
> problem properly.  Packages removed from sarge at some time which
> were part of sarge before, will not be security-covered (after the
> release).

There is at least on possiblity to achieve this that I know of:
aptitude lists all "obsolete" packages in an extra category.
So one can just start aptitude and remove all packages listed there.
(of course this only works if you have no sid deb lines in your
sources.list and just exclude them by pinning or by specifying
Default-Release). This is how I cleaned up my system after
dist-upgrade woody->sarge.

If this method is the best we have we should perhaps add it to the
release notes.

> ----- Forwarded message from "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com> -----
> Date: Thu, 23 Sep 2004 14:12:21 +0200
> From: "\"Dr. Andreas Krüger\"" <andreas.krueger@dv-ratio.com>
> To: control@bugs.debian.org, 115787@bugs.debian.org, security@debian.org,
> 	deity@lists.debian.org
> Cc: 267880@bugs.debian.org
> Subject: Need "apt-get dist-downgrade" or similar when Sarge comes out.
> X-Folder: debian-security-private@lists.infodrom.org
> tags 115787 + sarge
> thank you, control@bugs.debian.org
> By the time Sarge comes out officially, some packages will have been removed 
> from Sarge, that, at some point in time, have been a part of Sarge.  For a 
> (likely) example, see bug 267880 of apt-proxy, i.e., 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267880 .
> Personally, I really look forward to the official release of Sarge.  E.g., 
> there's this Sarge server waiting to be put into official production.  One 
> of the things I look forward to as a really valuable service is, the Debian 
> security team's full coverage of the software I use.
> Previously, I had hoped that the release of Sarge by Debian, and a subsequent
>    apt-get dist-upgrade
> by myself, will eventually result in a stable, security-team-covered system.
> I'm not so sure about that any more.
> E.g., the team will surely not cover apt-proxy, obscure version 1.9.17, just 
> because that version has, at one point, been part of Sarge.  On the other 
> hand, apt-get is not likely to downgrade apt-proxy from 1.9.17 to 1.3.6 
> (assuming that version makes it into the stable Sarge release).
> In my opinion, the general feature wishlisted by bug 115787 would really 
> come in handy. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=115787 
> (and its merged equivalents) for details. (I'm not sure that it'll help 
> much, given the bug's humble "wishlist" priority, but I have taken the 
> liberty to tag that bug "sarge".)
> Bug 158372 is one of the merge-syblings of 115787.  At that bug, Jason 
> Gunthorpe commented, some two years ago, that the required functionalty will 
> not be provided as a feature of apt.
> If that has not changed in the meantime, I would like to ask Debian to 
> clearly announce what else can be done by a Debian Sarge user to "stabilize" 
> her machine. In essence,
> "After dist-upgrade from Woody (stable) to Sarge (stable), you have software 
> that is covered by the security team.  To achive the same effect, Sarge 
> (testing) users need to do XXX, to change their machines to Sarge (stable)."
> I very much hope there will be a better solution for "XXX", besides the 
> obvious "fdisk/mkfs/reinstall".  If so, I have not yet found it documented 
> in any of the obvious places.
> Regards, and thank you for providing fine software,
> Andreas Krüger
> -- 
> Dr. Andreas Krüger, andreas.krueger@dv-ratio.com
> GPG/PGP Fingerprint 8063 4A9B 362D 4220 A546  14C1 EA19 AADC FD44 5EB7
> DV-RATIO Nordwest GmbH, Tel.: +49 211 577 996-0, Fax:  +49 211 559 1617
> Leostraße 31, 40545 Düsseldorf, Germany
> ----- End forwarded message -----
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Reply to: