Re: How automatic are backport package updates?
- To: debian-user@lists.debian.org
- Subject: Re: How automatic are backport package updates?
- From: "Andrew M.A. Cater" <amacater@einval.com>
- Date: Sat, 13 Feb 2021 14:32:56 +0000
- Message-id: <[🔎] 20210213143256.GA7167@einval.com>
- In-reply-to: <[🔎] YCa1aISg52+nKwWA@grant.org>
- References: <c9d3a116-be23-fe15-2efe-93eca86a6828@debian.org> <CAKGn-5-Hd52AY+cypo8cZTw5n4PA4m1DenjS1vsbXq3K03NDKA@mail.gmail.com> <20210109055653.kocxlzwkvzbrxp6r@acr13.nuvreauspam> <d39d3d8-be95-d8fc-bb90-56fc179f356@tarent.de> <20210110090354.p3oi5a4o5cglyylj@acr13.nuvreauspam> <20210111130650.GH951@eeg.ccf.org> <847uch-vl3.ln1@anthive.com> <X/2+6452y/zwLq+d@grant.org> <20210112153505.GQ31330@randomstring.org> <[🔎] YCa1aISg52+nKwWA@grant.org>
On Fri, Feb 12, 2021 at 12:05:44PM -0500, Michael Grant wrote:
> Replying to this message that's just over a month old now. Now that
> 10.8 just came out, is this a good time to jump off the testing repo
> and onto stable for my production box? Is this one of those rare
> moments when testing and stable line up? Or should I continue to wait
> for Bullseye?
>
The below is my opinion: it is informed by watching other folk have problems over the years.
TLDR; - If you are running a production system - run Debian's latest stable release. Stable
gets security support and backported fixes for security issues.
Release overview:
================
Debian releases trickle down over a period of years: Unstable (code name Sid) -> Testing -> Stable.
[There is also an Experimental repository - but I'll leave that out for the sake of brevity].
Fictious example: Take the case of a brand new package Foo which, we'll say, is a personal productivity
app. and updates regularly but on a fairly long timescale.
Debian unstable == codename "Sid"
---------------------------------
If package foo is introduced today, it will go into Sid in source code form and be built there. Sid is never
expected to be released in this form and receives no formal security or other support. If you run Sid, you're
expected to be experienced enough to fix any problems yourself. Major upgrades of something like a desktop
environmnent can sit in Sid for many months until all the components are ready and all dependencies are
sorted out. Package churn can be severe and unpredictable.
After a short while with no major problems, and a minimal amount of testing, package foo can pass to Testing.
Debian testing == codename "Bullseye" == Debian 11 when released.
----------------------------------------------------------------
"Testing" is preparation for the next large scale release of Debian.Testing effectively collects packages for
a couple of years until a freeze period and eventual release. [Debian 11 (code name Bullseye) - is at that
stage at the moment: the freeze period has started relatively recently - it may be released in June 2021 or
so following further freeze stages, all other things being equal.]
At this point, package foo will not go into current stable: it will only be prepared for the NEXT release of
Debian months or years away.
There is a backports repository. This is a way to run a small number of packages from Debian testing on a
stable system. This might, for example, be an updated kernel because 5.10.x runs on your brand new hardware
whereas 4.19.x won't run the hardware correctly. These packages are built against the versions of the packages
in Debian stable (otherwise they won't run there) but provide new/different versions to those supported in stable.
No security support as such - if you're running backports, you are very much on your own / out as an edge case
If enough users of Debian stable really wanted package foo, it could, conceivably be put here into the backports
repository, but if it wasn't originally released as part of stable, you can't readily slipstream something straight
into Stable..
Package version numbers:
-----------------------
Very well established packages might have the same or subtly different versions from Sid all the way down to stable.
It could be that there's version 4.x newly released in Sid, 3.x in Testing and 2.x in Stable for example with the
different versions reflecting different codebases.
Stable release == Debian 10 (Buster) as at 20200213
==============
As of today: Debian's latest stable release is Debian 10 - codename Buster - and the point release is Debian 10.8 (released on
February 8th, 2021). In due course, there will likely be a 10.9 - updates which roll up security updates / changes etc. occur
approximately every three months.
If you run a stable system, and keep it regularly updated, then the point releases will be very small changes as they occur.
"Frankendebian"
---------------
You shouldn't cherry pick between releases because that leads to instability. Likewise "I'll just pull XYZ from Ubuntu and
expect it to work on Debian X" will occasionallly work but more often than not produce impossible problems fo dependency
and version instability which require significant unpicking.
All best, as ever,
Andy C.
> On Tue, Jan 12, 2021 at 10:35:05AM -0500, Dan Ritter wrote:
> > Michael Grant wrote:
>
> >> Let's say I want to run 'testing' to be more on the edge to get the
> >> latest and greatest of packages and to incrementally always be on top
> >> of updates rather than having to do large release updates. But from
> >> time to time there is a security update to a package which is newer,
> >> or if something specific is broken, I may want to go back to a
> >> specific version of something. What should I put in my sources.list?
> >
> > Are you running a production system?
>
> Yes.
>
> > That is, are you running a Debian system which is essential to
> > your business or personal activities, so that having to recover
> > from a disaster would be a significant hardship?
>
> Well, yes, though I do have daily snapshots.
>
> > If so, you should be running buster, and considering moving to
> > the next stable release no sooner than a few weeks after the
> > transition to bullseye. You should accept security updates as
> > soon as is convenient for you, on an ongoing basis. Backports
> > are to solve specific issues.
> >
> > If you are running a system for fun, or if there is no real
> > issue with protracted unavailability, testing is a fine thing
> > to be running. You should expect a little chaos every time you
> > update.
> >
> > Only stable gets security updates. Testing may get security
> > updates when they come from upstream, but it's not guaranteed.
>
> I thought all security updates were tested in testing, committed to
> testing, and then also committed to stable-security. I had not
> noticed that testing was not getting security updates, I thought it
> was, maybe again, it was just luck that the packages I noticed needed
> security updates were the ones I mentally track most like sendmail,
> dovecot, spamassassin...
>
> Michael Grant
Reply to: