[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates for wheezy breaking my FAI-installation

Am 2015-05-04 13:31, schrieb Alexis:
* Since it mentions things like updates to virus scanners, it  seemed
plausible to me that it was indeed the same repo. If, as you  assert,
it's not, then i think it's concerning that there are  /two/ distinct
repos one needs to enable in order to get all  relevant security

* The page doesn't explain if 'wheezy-updates' is distinct from
'wheezy-backports', and if so, again, why there are two repos
apparently addressing the same issue. (To wit, how to get more recent
versions of packages than were released with stable.)

* The phrase "When a new package is made available via
wheezy-updates"  is ambiguous to me; it can be read as either "a new
package  [that wasn't included in the initial release of wheezy]", or
"a  new [version of a] package [that was included in the initial
release of wheezy]".

So, no, from my perspective, that page does /not/ describe "precisely
what wheezy-updates is".

Ok, since there appears to be some kind of confusion, I'll explain.

There are 5 official repositories for Debian wheezy:

 (1) debian wheezy
 (2) debian-security wheezy/updates
 (3) debian wheezy-updates
 (4) debian wheezy-backports
 (5) debian wheezy-backports-sloppy

(Same for jessie. squeeze is very similar, but backports is at a
different location for historical reasons.)

Repository (1) contains the packages of the latest wheezy point
release (currently 7.8). Every time a new point release is made, e.g.
7.9 in the near future, this repository will be updated with new
packages, but otherwise remains static.

Repository (2) contains security updates, i.e. updates to packages
that fix known security holes. Each update is accompanied with an
advisory describing the security hole.

Repository (3) contains a select number of packages from the pending
point release, but is available immediately after the packages have
been uploaded and accepted, not just at the time the point release is
made. Every time a point release is made, the packages in this
repository will also be found in repository (1). The reason this
repository exists is to provide quicker for some specific packages. I
already mentioned the examples of virus scanner definitions and
timezone database updates. Note that virus scanner definition updates
do NOT qualify as security updates per se, since it's not a security
bug that's fixed by this.

Repository (4) contains backports from jessie to wheezy. These are
packages that will _never_ be part of a wheezy point release. They
are provided for convenience reasons, because sometimes you need more
recent versions of certain software packages. For example,
wheezy-backports contains a more recent version of LibreOffice and
the same kernel version as Jessie has. Backports do not necessarily
receive the same amount of support the release itself receives,
there it depends on the backporter as to how well maintained it is.
(The examples I mentioned are well-maintained in backports from my
experience, but with other packages YMMV.)

Repository (5) contains backports from stretch (jessie + 1) and sid
to wheezy. The policy of backports (4) is to be able to upgrade a
system from wheezy + wheezy-backports to jessie (without
jessie-backports), whereas backports-sloppy (5) also contains
packages that are either not in jessie or newer versions than even
jessie has.

Now what to put in your sources.list?

 - At the very minimum, add the main repository (1) + the security
   updates (2).

   This means that you will have to take care of upgrades at every
   new point release only - or when one of the packages you are
   using has a security flaw and needs to be fixed.

 - If you are running software such as virus scanners or something
   that relies on accurate time zone information (say you are
   running a web site that needs to know about time zones because
   lots of people internationally use it - and you want to be able
   to keep up with countries that decide with just 1 or 2 days of
   advance notice when they change their time zone rules - like
   Egypt recently did), also add the wheezy-updates repository
   (3) to get updates to those things faster, not only at point
   releases. You will need to update slightly more often. After
   each point release, you will have the same set of packages as

 - If you need a more recent version of a package, you might find
   it in wheezy-backports (4). Note that if you are using
   backports, you should be a bit more knowlegable when it comes
   to using apt and solving dependency conflicts. And you should
   definitely read the changelogs and NEWS files of packages
   before taking the backports version, else you might run into
   a few surprises. (Example: package A drops support for
   feature B in Jessie. Wheezy's version still had that feature,
   but Jessie's doesn't anymore. Since the package in
   wheezy-backports comes from Jessie, it will also not have
   feature B anymore. This case is mentioned in the release
   notes of Jessie, but backports are just single packages, so
   you really need to read the docs before installing things.)

   Note that backports by default doesn't have the same priority
   as the other repositories, so just putting it in sources.list
   will typically not install anything from there (the exception
   being packages that aren't in wheezy at all), you have to
   explicitly ask for that (e.g. package pinning). This is
   because you typically want to use a couple of packages from
   backports, but not necessarily all that are available.

 - If you need a more recent version of a package and it's not
   in wheezy-backports (4) and also not in jessie, then you
   might find it in wheezy-backports-sloppy. But here you
   should be extra careful as compared to wheezy-backports

Of course, the same logic also applies for Jessie, so the same
five repositories exist for Jessie - with the same logic
behind them.


Reply to: