Re: Package management and security
On Fri, Jun 08, 2007 at 09:56:09AM +0200, Frédéric PICA wrote:
> Ok, so apt-get update/upgrade -y in a cron job will work but what about my
> first question ?
Don't do this :( The pace of change in Debian stable is very slow: as
you correctly say, fixes are back ported and so on but it is still worth
a human being checking what is to be upgraded - running this blind from
a cron job may mean that you miss something important.
Take the fact that Debian Sarge was updated 7 times over 2 1/2 years -
the last time being just hours before release of Etch. Point releases
fix security and serious packaging bugs - each point release probably
only contained 30 - 50 packages over a period of a few months. apt-get
update once a week to see how much has changed and whether it is worth
your while: then update carefully.
> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated
> to foo-1.0.1 for bugfix reason.
This is fairly typical
> Meanwhile the author of foo release version 2, debian stable will not
> upgrade the package because the version 2 add more features, have new
> dependencies, ...
2 will probably be in testing, 1 will continue in stable. Critical fixes
will be backported - if there are critical fixes which cannot be made,
then it may be that the package will be considered for removal. This was
one of the grounds for disagreement between Mozilla and Debian which led
to Iceweasel: Mozilla don't want to support old versions, Debian don't
want to just randomly change to new ones.
> And now, the author release version 2.1, a critical security fix, there is a
> flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the
> security fix but that time it's not possible so they have no other choice to
> package version 2.1 in the security channel.
Fixed in testing, backported fix to stable is the rule.
> As version 2.1 has new dependencies requirements wich are not installed,
> apt-get upgrade will not update that package, right ?
Not automatically: quite often, in these situations, maintainers produce
a package to ease transitions.
> Even if in 99% of the time, this will work great, I can't let this 1%.
Given the scale and pace of change, it's not infeasible to check what
will be updated and update methodically.
> I could let this 1% risk only if I have a way to be warned, the server
> sending me automatically a mail for example, but I think there is no way to
> do that because there is no way to interface ourself with apt (no plugin
> system at that time)
> I am right ?
> 2007/6/7, Riku Valli <firstname.lastname@example.org>:
> >Frédéric PICA wrote:
> >> Thanks for your answer,
> >> So I need to do an apt-get dist-upgrade in my cron job to be sure to
> >> always have the latest security fixes ?
> >> What's the risk to have a needed package uninstalled by that way ?
> >> My goal is to have the latest security fixes for a server, but I have
> >> to be sure that dist-upgrade will not broke my server by removing
> >> needed pacakges, for example mod_php for apache or things like that.
> >> FP
> >> 2007/6/7, Riku Valli <email@example.com
> >> <mailto:firstname.lastname@example.org>>:
> >> Frédéric PICA wrote:
> >> > Greets,
> >> >
> >> > I saw in 'man apt-get' that using apt-get upgrade does not
> >> install new
> >> > packages or remove an already installed package.
> >> > Is it possible that I did'nt get the latest security fixes using
> >> > apt-get upgade in a cron job ?
> >> > I think particularly about security fixes that can't be
> >> > to the debian stable version and needs to upgrade the package to
> >> > latest author available version, what's going on if the package
> >> > dependencies changes ? Does the security patched will be installed
> >> > with it's new dependencies anyway or does the package will not be
> >> > upgraded ?
> >> >
> >> > Thanks for your help,
> >> > FP
> >> >
> >> >
> >> Hi
> >> apt-get upgrade only upgrade your packages for newer version. When
> >> package is upgraded this way at it need new extra packages, then
> >> upgrade
> >> can't upgrade your package. You must install it.
> >> -- Riku
> >In normal case when you used Debian stable. You made only update/upgrade
> >and possible need switch -y (assume yes for every question). At stable
> >debencies normally never changes. This dist-upgrade is (at stable) only
> >used when you updated Debian releases from older to newer.
> >Older stable there was only one kernel upgrade which needed manually
> >Maybe this is better explained man aptitude, see below.
> > upgrade
> > Upgrades installed packages to their most recent version.
> > packages will not be removed unless they are unused (see the
> > section "Managing Automatically Installed Packages" in the
> > reference manual); packages which are not currently installed
> > not be installed.
> > If a package cannot be upgraded without violating these
> > constraints, it will be kept at its current version. Use the
> > dist-upgrade command to upgrade these packages as well.
> > dist-upgrade
> > Upgrades installed packages to their most recent version,
> > or installing packages as necessary. This command is less
> > conservative than upgrade and thus more likely to perform
> > unwanted actions. Users are advised to either use upgrade
> > instead or to carefully inspect the list of packages to be
> > installed and removed.
> >-- Riku