Re: Security Updates

To: debian-user@lists.debian.org
Subject: Re: Security Updates
From: Larry Dighera <LDighera@att.net>
Date: Wed, 31 Aug 2016 10:37:11 -0700
Message-id: <[🔎] bgudsbp15noea534g0ga3ih0ga1q4q805h@4ax.com>
In-reply-to: <[🔎] 20160831134836.dfugnj2tzgrrpmg3@darac.org.uk>
References: <[🔎] gdobsbp8e1bd1aq8qoi51l3p2g0i40e71c@4ax.com> <[🔎] 20160831134836.dfugnj2tzgrrpmg3@darac.org.uk>

Hello Paul,

Thank you for your kind response to my inquiry.

My comments in-line below:

On Wed, 31 Aug 2016 14:48:36 +0100, Darac Marjal <mailinglist@darac.org.uk>
wrote:

>On Tue, Aug 30, 2016 at 12:58:47PM -0700, Larry Dighera wrote:
>>
>>This page <https://www.debian.org/releases/stable/errata> states:
>>
>>    "If you use APT, add the following line to /etc/apt/sources.list to be able
>>    to access the latest security updates:
>>
>>    deb http://security.debian.org/ jessie/updates main contrib non-free
>>
>>    After that, run apt-get update followed by apt-get upgrade."
>>
>>Adding that entry to /etc/apt/sources.list on the Raspberry Pi3 running Debian
>>Jessie results in an error message indicating that the public key is not found.
>>It also finds two libraries that require updating that are not found when the
>>above mentioned /etc/apt/sources.list entry is removed.
>
>As other people are discussing how to avoid the problems, let me have a 
>go at answering your questions directly.
>
>>
>>  1.  What do I need to do to prevent the error message?
>
>Check that "debian-archive-keyring" is installed. 
>

    # apt-get -s install debian-archive-keyring
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Note, selecting 'raspbian-archive-keyring' instead of
    'debian-archive-keyring'
    raspbian-archive-keyring is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Hmmm...  I didn't expect that.  Now I am confused.  I don't recall where I got
the notion that I was running Debian Jessie as opposed to Raspbian Jessie.  I
suppose it was from this link:
<https://www.raspberrypi.org/blog/raspbian-jessie-is-here/> where it is stated:

    "Raspbian has now been updated to the new stable version of Debian, which
    is called Jessie."

I guess I failed to make the distinction between Raspbian Jessie and Debian
Jessie.  Me culpa.

>
>If that is showing as untrusted as well, then read https://ftp-master.debian.org/keys.html.  
>Note the warning at the top, though: "Please note that the details here 
>are for information only, you should not rely on them and use other ways 
>to verify them."
>

I don't know if it's "showing as un-trusted," but I'm beginning to suspect my
confusion between Raspbian Jessie and Debian Jessie is the source of the issue
I experienced.  

Here is the output from os-release and uname:

     # cat ../usr/lib/os-release
    PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"
    NAME="Raspbian GNU/Linux"
    VERSION_ID="8"
    VERSION="8 (jessie)"
    ID=raspbian
    ID_LIKE=debian
    HOME_URL="http://www.raspbian.org/";
    SUPPORT_URL="http://www.raspbian.org/RaspbianForums";
    BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs";

     # uname -a
    Linux raspberrypi3 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l
    GNU/Linux

I guess that puts a stake in the heart of this apparent non-issue. 

>
>>
>>  2.  As there are other security related URLs (doubtless, as
>>  distributed/released) that are checked during apt-get update, is the
>>  recommended additional entry advisable/useful for this platform?
>
>If you're running Debian, then that line should provide all the security 
>updates you require. If you've added other repositories, though (PPAs, 
>for example, or if you're using a debian-derived distribution such as 
>Ubuntu, Mint, Devuan etc), then you should consult THOSE projects 
>individually to see if they provide security updates (they may simply 
>provide a rolling "bleeding edge" update model instead).
>

Apparently Raspbian Jessie is "a debian-derived distribution," and not Debian
Jessie as I erroneously believed until your assistance enlightened me.

I'll have to presume the default Raspbian Jessie apt sources repositories
provide the intended security robustness, despite the possible security issues
in libldap-2.4-2 and linux-libc-dev packages that came to light when I ran
apt-get update with the "deb http://security.debian.org/ jessie/updates main
contrib non-free" entry in my /etc/apt/sources.list.

As you suggested, I'll take this discussion to raspbian.org, and see if they
can shed some light on the possible security issues in the libldap-2.4-2 and
linux-libc-dev packages.

I am grateful your thoughtful and sagacious support, and the education I
received as a result.  It's always good to grok truth.  :-)

Best regards,
Larry

Reply to:

References:
- Security Updates
  - From: Larry Dighera <LDighera@att.net>
- Re: Security Updates
  - From: Darac Marjal <mailinglist@darac.org.uk>

Prev by Date: Re: Security Updates
Next by Date: Re: Decentralized reliable instant messaging?
Previous by thread: Re: Security Updates
Next by thread: Mount /tmp on tmpfs jessie and stretch -- howto?
Index(es):
- Date
- Thread