Kenneth Dombrowski wrote:
On 03-10-19 16:14 -0500, Kent West wrote:(You're leaving the stable lines in so you can get packages that haven't seen any development since stable and therefore aren't in the unstable branch, and you're leaving in the security line to get security patches, which are applied to stable when problems are found but not necessarily incorporated immediately into the unstable packages).You don't have to leave in references to stable. Maybe if you're pinning, but to convert completely to unstable, the unstable repository is a complete distribution.
That's what I thought too, and that may be the way things are "officially", but some months back I had two unstable machines; there was some piece of software that was newer on one than on the other (don't remember what now). The one with the older software would not update, because it had some broken dependency, even though I kept going through the process every day or so. Eventually I realized that the box with the updated software had the stable lines in sources.list, and I reasoned that the dependency must've been in the stable repository but not the unstable. So I added stable to my box with the older software, and the next update updated the software in question.
Also, I believe security upgrades in unstable are just uploaded directly to the repository, so you don't need to keep the security line.
It's my understanding that when a vulnerability is found, the first thing done is to make a patch and put it in the stable security tree. Getting the vulnerability fixed in unstable packages has a lower priority than keeping stable up-to-date. Then the fixed package in stable security, being newer than the unpatched version in unstable, would get pulled in on the next upgrade. But that's just my understanding, and could very well be wrong.
-- Kent