Re: kernel security upgrade - "rebase?"
On Wed 21 Oct 2020 at 09:40:37 (+0300), Andrei POPESCU wrote:
> On Ma, 20 oct 20, 10:44:17, rhkramer@gmail.com wrote:
> > On Tuesday, October 20, 2020 05:10:33 AM Andrei POPESCU wrote:
> > > On Lu, 19 oct 20, 20:21:45, The Wanderer wrote:
> > > > To install that package and let the upgrade go forward, you have a few
> > > > options. The simplest, and the one I go with myself, would be to run
> > > >
> > > > $ apt-get dist-upgrade
> > >
> > > I disagree, the simplest and arguably slightly safer is
> > >
> > > apt upgrade
> >
> > I agree, for an additional reason -- iiuc, if you are using an older version
> > of Debian, dist-upgrade will attempt to upgrade to the current version, which
> > could cause problems.
What do you mean by "older" and "current"? There's no reason to
suppose that sources.list has been touched. Perhaps the "dist-"
prefix is confusing¹, and makes you think there's a release
change involved. But one of the virtues of the apt-get command
line is its stability, hence its recommendation for scripting,
so that's unlikely to change.
> Actually you will just end up with a partially upgraded system, which
> may be worse.
>
> Your best course of action at that point is likely to follow-up with
> dist-upgrade to switch completely to the next release.
>
> This two-step distribution upgrade is actually a documented work around
> for some issues on upgrades to the next release.
>
> https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#minimal-upgrade
Are you not just compounding rhkramer's confusion?
The OP reported running a system where they were running "apt-get
update" (implied) and "apt-get upgrade" regularly (over a period
of weeks) but that their kernel wasn't up-to-date as it was being
held back.
That's standard behaviour, because linux kernel versions (as opposed
to Debian kernel versions) include their version number in the package
name, so apt-get won't install the new packages by default.
The next step, suitable for the great majority (including myself) is
to use "apt-get dist-upgrade" to allow the kernel to be upgraded.
(Where the previous kernel has been running satisfactorily for a
sufficient period, this can be followed by "apt-get --purge
autoremove" to remove the previously-old version.) (attached 1)
The OP had a problem with this sequence, in that ThunderBird was
also being held back, and they didn't want that upgraded because
of its interaction with EnigMail. There are several possible ways
of resolving that.
Pinning would work one-time, but would have to be updated every
few years, whenever the TB/EM problem recurs, because AIUI it
pins applies to a specific version.
Adding --no-remove to your script, or configuring APT::Get::Remove
in /etc/apt/ will prevent accidental removal of packages by apt-get.
Using apt instead will work until your fingers type apt-get one time.
("Wired" fingers can be just as much a problem as not noticing/bothering
to read apt-get's warning.)
And The Wanderer pointed out that you can just "apt-get install
linux-image-amd64", another one-time method. (attached 2)
BTW I think "rebase" was an accidental slip of the pen, rather than
anything particularly different about this security upgrade.
¹ From man aptitude:
Note
This command was originally named dist-upgrade for historical reasons, and
aptitude still recognizes dist-upgrade as a synonym for full-upgrade.
Cheers,
David.
Start-Date: 2020-10-19 14:48:28
Commandline: apt-get upgrade
Upgrade: linux-libc-dev:amd64 (4.19.146-1, 4.19.152-1), linux-compiler-gcc-8-x86:amd64 (4.19.146-1, 4.19.152-1), linux-source:amd64 (4.19+105+deb10u6, 4.19+105+deb10u7), linux-kbuild-4.19:amd64 (4.19.146-1, 4.19.152-1), linux-config-4.19:amd64 (4.19.146-1, 4.19.152-1), linux-source-4.19:amd64 (4.19.146-1, 4.19.152-1)
End-Date: 2020-10-19 14:48:40
Start-Date: 2020-10-19 14:54:50
Commandline: apt-get dist-upgrade
Install: linux-headers-4.19.0-12-amd64:amd64 (4.19.152-1, automatic), linux-image-4.19.0-12-amd64:amd64 (4.19.152-1, automatic), linux-headers-4.19.0-12-common:amd64 (4.19.152-1, automatic)
Upgrade: linux-image-amd64:amd64 (4.19+105+deb10u6, 4.19+105+deb10u7), linux-headers-amd64:amd64 (4.19+105+deb10u6, 4.19+105+deb10u7)
End-Date: 2020-10-19 14:56:19
Start-Date: 2020-10-19 14:57:22
Commandline: apt-get --purge autoremove
Purge: linux-headers-4.19.0-10-amd64:amd64 (4.19.132-1), linux-image-4.19.0-10-amd64:amd64 (4.19.132-1), linux-headers-4.19.0-10-common:amd64 (4.19.132-1)
End-Date: 2020-10-19 14:57:43
# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
linux-headers-amd64 linux-image-amd64
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
#
# apt-get install linux-headers-amd64 linux-image-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
linux-headers-4.19.0-12-amd64 linux-headers-4.19.0-12-common linux-image-4.19.0-12-amd64
Suggested packages:
linux-doc-4.19 debian-kernel-handbook
The following NEW packages will be installed:
linux-headers-4.19.0-12-amd64 linux-headers-4.19.0-12-common linux-image-4.19.0-12-amd64
The following packages will be upgraded:
linux-headers-amd64 linux-image-amd64
2 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 57.7 MB of archives.
After this operation, 326 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Reply to: