Re: Security Updates
Hello Paul,
Thank you for your kind response to my inquiry.
My comments in-line below:
On Wed, 31 Aug 2016 14:48:36 +0100, Darac Marjal <mailinglist@darac.org.uk>
wrote:
>On Tue, Aug 30, 2016 at 12:58:47PM -0700, Larry Dighera wrote:
>>
>>This page <https://www.debian.org/releases/stable/errata> states:
>>
>> "If you use APT, add the following line to /etc/apt/sources.list to be able
>> to access the latest security updates:
>>
>> deb http://security.debian.org/ jessie/updates main contrib non-free
>>
>> After that, run apt-get update followed by apt-get upgrade."
>>
>>Adding that entry to /etc/apt/sources.list on the Raspberry Pi3 running Debian
>>Jessie results in an error message indicating that the public key is not found.
>>It also finds two libraries that require updating that are not found when the
>>above mentioned /etc/apt/sources.list entry is removed.
>
>As other people are discussing how to avoid the problems, let me have a
>go at answering your questions directly.
>
>>
>> 1. What do I need to do to prevent the error message?
>
>Check that "debian-archive-keyring" is installed.
>
# apt-get -s install debian-archive-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'raspbian-archive-keyring' instead of
'debian-archive-keyring'
raspbian-archive-keyring is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hmmm... I didn't expect that. Now I am confused. I don't recall where I got
the notion that I was running Debian Jessie as opposed to Raspbian Jessie. I
suppose it was from this link:
<https://www.raspberrypi.org/blog/raspbian-jessie-is-here/> where it is stated:
"Raspbian has now been updated to the new stable version of Debian, which
is called Jessie."
I guess I failed to make the distinction between Raspbian Jessie and Debian
Jessie. Me culpa.
>
>If that is showing as untrusted as well, then read https://ftp-master.debian.org/keys.html.
>Note the warning at the top, though: "Please note that the details here
>are for information only, you should not rely on them and use other ways
>to verify them."
>
I don't know if it's "showing as un-trusted," but I'm beginning to suspect my
confusion between Raspbian Jessie and Debian Jessie is the source of the issue
I experienced.
Here is the output from os-release and uname:
# cat ../usr/lib/os-release
PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"
NAME="Raspbian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
# uname -a
Linux raspberrypi3 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l
GNU/Linux
I guess that puts a stake in the heart of this apparent non-issue.
>
>>
>> 2. As there are other security related URLs (doubtless, as
>> distributed/released) that are checked during apt-get update, is the
>> recommended additional entry advisable/useful for this platform?
>
>If you're running Debian, then that line should provide all the security
>updates you require. If you've added other repositories, though (PPAs,
>for example, or if you're using a debian-derived distribution such as
>Ubuntu, Mint, Devuan etc), then you should consult THOSE projects
>individually to see if they provide security updates (they may simply
>provide a rolling "bleeding edge" update model instead).
>
Apparently Raspbian Jessie is "a debian-derived distribution," and not Debian
Jessie as I erroneously believed until your assistance enlightened me.
I'll have to presume the default Raspbian Jessie apt sources repositories
provide the intended security robustness, despite the possible security issues
in libldap-2.4-2 and linux-libc-dev packages that came to light when I ran
apt-get update with the "deb http://security.debian.org/ jessie/updates main
contrib non-free" entry in my /etc/apt/sources.list.
As you suggested, I'll take this discussion to raspbian.org, and see if they
can shed some light on the possible security issues in the libldap-2.4-2 and
linux-libc-dev packages.
I am grateful your thoughtful and sagacious support, and the education I
received as a result. It's always good to grok truth. :-)
Best regards,
Larry
Reply to: