Hi, FYI TurnKey Linux is a Debian derivative which builds a library of headless server "software appliances" using mostly Debian packages, but many with upstream software pre-installed on top.
I'm hoping to get some clarity on the "status" of the practice of adding new dependencies (not included in the security repo) when providing security related updated packages. For context, my question relates to a recent incident where ~70% of our library automatically uninstalled MariaDB when the recent security update[1] was released. If you want more detail, please see #914172[2]. [1] https://www.debian.org/security/2018/dsa-4341 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172 The crux of it is that we have a daily automated update task which installs packages exclusively from the security repo. The MariaDB security update included a new dependency on 'libconfig-inifiles-perl' (hosted in main, not security). As our config does not install packages from any repo other than security, this caused MariaDB to be uninstalled (uninstallable dependency causing apt to remove the package(s)). I.e. our current config assumes that any new dependencies for security updates, would also be included in the security repo. If it is confirmed that this is expected (albeit uncommon) behaviour, we need to adjust our current auto-update config as it is not safe! If instead, this was a mistake (human error) then we'd like to see how we might be able to support the Security team to avoid this happening again in the future. I have no idea what form this might take, but am open to suggestions. Regards, Jeremy
signature.asc
Description: OpenPGP digital signature