Re: Security updates for wheezy breaking my FAI-installation
Am 2015-05-04 13:31, schrieb Alexis:
* Since it mentions things like updates to virus scanners, it seemed
plausible to me that it was indeed the same repo. If, as you assert,
it's not, then i think it's concerning that there are /two/ distinct
repos one needs to enable in order to get all relevant security
updates.
* The page doesn't explain if 'wheezy-updates' is distinct from
'wheezy-backports', and if so, again, why there are two repos
apparently addressing the same issue. (To wit, how to get more
recent
versions of packages than were released with stable.)
* The phrase "When a new package is made available via
wheezy-updates" is ambiguous to me; it can be read as either "a new
package [that wasn't included in the initial release of wheezy]", or
"a new [version of a] package [that was included in the initial
release of wheezy]".
So, no, from my perspective, that page does /not/ describe "precisely
what wheezy-updates is".
Ok, since there appears to be some kind of confusion, I'll explain.
There are 5 official repositories for Debian wheezy:
(1) debian wheezy
(2) debian-security wheezy/updates
(3) debian wheezy-updates
(4) debian wheezy-backports
(5) debian wheezy-backports-sloppy
(Same for jessie. squeeze is very similar, but backports is at a
different location for historical reasons.)
Repository (1) contains the packages of the latest wheezy point
release (currently 7.8). Every time a new point release is made, e.g.
7.9 in the near future, this repository will be updated with new
packages, but otherwise remains static.
Repository (2) contains security updates, i.e. updates to packages
that fix known security holes. Each update is accompanied with an
advisory describing the security hole.
Repository (3) contains a select number of packages from the pending
point release, but is available immediately after the packages have
been uploaded and accepted, not just at the time the point release is
made. Every time a point release is made, the packages in this
repository will also be found in repository (1). The reason this
repository exists is to provide quicker for some specific packages. I
already mentioned the examples of virus scanner definitions and
timezone database updates. Note that virus scanner definition updates
do NOT qualify as security updates per se, since it's not a security
bug that's fixed by this.
Repository (4) contains backports from jessie to wheezy. These are
packages that will _never_ be part of a wheezy point release. They
are provided for convenience reasons, because sometimes you need more
recent versions of certain software packages. For example,
wheezy-backports contains a more recent version of LibreOffice and
the same kernel version as Jessie has. Backports do not necessarily
receive the same amount of support the release itself receives,
there it depends on the backporter as to how well maintained it is.
(The examples I mentioned are well-maintained in backports from my
experience, but with other packages YMMV.)
Repository (5) contains backports from stretch (jessie + 1) and sid
to wheezy. The policy of backports (4) is to be able to upgrade a
system from wheezy + wheezy-backports to jessie (without
jessie-backports), whereas backports-sloppy (5) also contains
packages that are either not in jessie or newer versions than even
jessie has.
Now what to put in your sources.list?
- At the very minimum, add the main repository (1) + the security
updates (2).
This means that you will have to take care of upgrades at every
new point release only - or when one of the packages you are
using has a security flaw and needs to be fixed.
- If you are running software such as virus scanners or something
that relies on accurate time zone information (say you are
running a web site that needs to know about time zones because
lots of people internationally use it - and you want to be able
to keep up with countries that decide with just 1 or 2 days of
advance notice when they change their time zone rules - like
Egypt recently did), also add the wheezy-updates repository
(3) to get updates to those things faster, not only at point
releases. You will need to update slightly more often. After
each point release, you will have the same set of packages as
before.
- If you need a more recent version of a package, you might find
it in wheezy-backports (4). Note that if you are using
backports, you should be a bit more knowlegable when it comes
to using apt and solving dependency conflicts. And you should
definitely read the changelogs and NEWS files of packages
before taking the backports version, else you might run into
a few surprises. (Example: package A drops support for
feature B in Jessie. Wheezy's version still had that feature,
but Jessie's doesn't anymore. Since the package in
wheezy-backports comes from Jessie, it will also not have
feature B anymore. This case is mentioned in the release
notes of Jessie, but backports are just single packages, so
you really need to read the docs before installing things.)
Note that backports by default doesn't have the same priority
as the other repositories, so just putting it in sources.list
will typically not install anything from there (the exception
being packages that aren't in wheezy at all), you have to
explicitly ask for that (e.g. package pinning). This is
because you typically want to use a couple of packages from
backports, but not necessarily all that are available.
- If you need a more recent version of a package and it's not
in wheezy-backports (4) and also not in jessie, then you
might find it in wheezy-backports-sloppy. But here you
should be extra careful as compared to wheezy-backports
itself.
Of course, the same logic also applies for Jessie, so the same
five repositories exist for Jessie - with the same logic
behind them.
Christian
Reply to: