Re: Restrict apt to specific Jessie distro

To: Christian Seiler <christian@iwakd.de>, debian-user@lists.debian.org
Subject: Re: Restrict apt to specific Jessie distro
From: "Brendan Simon (eTRIX)" <brendan.simon@etrix.com.au>
Date: Sun, 14 Feb 2016 22:16:16 +1100
Message-id: <[🔎] 56C06200.20709@etrix.com.au>
Reply-to: brendan.simon@etrix.com.au
In-reply-to: <[🔎] 56BF3483.70000@iwakd.de>
References: <[🔎] 56BF0F8F.1090608@BrendanSimon.com> <[🔎] 56BF3483.70000@iwakd.de>

On 14/02/2016 12:49 AM, Christian Seiler wrote:

On 02/13/2016 12:12 PM, Brendan Simon wrote:

Is there a way to restrict apt to a **specific release** of Jessie. 
e.g. 8.1, 8.2, 8.3, ... ??

I build root filesystems for embedded systems.  The sources.list is set
to Jessie, but the contents of the generated rootfs can change from one
day to the next if there have been updates.  I want to lock into a
specific release and be sure that the packages wont change if I build
now and 6 or 12 months later.

What's the best way to do this?

If you *really*, *really* want to do that against better judgment,
you can use the http://snapshot.debian.org/ service. See the
instructions there, just pick the current date. And realize that
you are using old versions of software with potential security
problems. (Even worse, since at least for me snapshot.d.o doesn't
support https, and you have to disable Valid-Until in APT to make
it work, an attacker in your network with man-in-the-middle
capabilities could serve you versions of Jessie that are even 
older than the ones you want, which have more security problems
and you wouldn't really notice it, especially if you automate your
process.)

Regards,
Christian

Thanks Christian. I've had a quick look at snapshot.debian.org and it might be worth considering.

The thing is when you are deploying something to lots of sites (e.g. an embedded data logger in many remote locations), it's important to know exactly what versions you have created and installed, and more importantly be able to rebuild the exact same system sometime down the track. e.g. 6-12 months later, when bug is reported and you need to be able to replicate the build and make changes based on that build. Often a patch release will be deployed based on the a build from that point in time, so as to not introduce any "new features" or unknown changes in behaviour.

Specifying a date in the apt sources.list may achieve that, but locking in the versions to that date or earlier. Subsequent security release based updates can be achieved by updating the date at a controlled time, doing a build, testing thoroughly and then releasing.

Does apt not use keyrings or some kind of certificates for authenticating versions?

Thanks, Brendan.

Reply to:

Follow-Ups:
- Re: Restrict apt to specific Jessie distro
  - From: Christian Seiler <christian@iwakd.de>

References:
- Restrict apt to specific Jessie distro
  - From: Brendan Simon <Brendan@BrendanSimon.com>
- Re: Restrict apt to specific Jessie distro
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Restrict apt to specific Jessie distro
Next by Date: Re: Restrict apt to specific Jessie distro
Previous by thread: Re: Restrict apt to specific Jessie distro
Next by thread: Re: Restrict apt to specific Jessie distro
Index(es):
- Date
- Thread