On 2019-06-14 Marc Haber <mh+debian-packa...@zugschlus.de> wrote: > Package: exim4 [...] > for some possibly historical reason, the dependencies between the exim > packages are not versioned. This might lead to the latest security > updates not being installed if some people just do apt install exim4 > instead of the recommended apt upgrade.
> I think that our packages should more closly depend on each other to > avoid running an older exim4-daemon with a later exim4-base, forcing > daemon upgrades even if somebody only upgrades exim4. Hello Marc, there are some semi-strict dependencies: exim4 requires exim4-base from the same Debian source version and one of the daemon packages (unversioned) The daemon packages require exim4-base of at least the same upstream version. exim4-base requires exim4-config and Breaks daemon packages of older upstream versions. So what we currently have is that exim4, -base, and -daemon-* share the same upstream version and exim4 and -base are built from the same source (not the same binNMU). You are suggesting to version the exim4 -> daemon dependency like this Depends: exim4-daemon-light (>= ${source:Version}) | exim4-daemon-heavy (>= ${source:Version}) | exim4-daemon-custom (>= ${source:Version}) I see two possible downsides: * Theoretically a dumb dependency-resolver might break upgrades, choosing the first alternative instead of checking whether upgrading everything fullfills the dependency. I think we can discount this. * The -daemon-custom situation. I think the main reason why the dependencies are as they are is to not enforce a rebuild of exim4-daemon-custom for minor (i.e. Debian-revision) changes. This made a lot of sense when the packaging changed a lot, i.e. there were many uploads that would have produced the same -daemon-custom. Nowadays almost every upload includes a new patch from -fixes so it might make sense to change this, cu Andreas PS: FWIW I do not think the original argument (I did "apt get install exim4" and am still CVE-xxx vulnerable) is a weak one. Linux packages often and for a long time have split upstream sources into multiple binaries. Therefore selective upgrades by "apt-get install somebinary would often be incomplete. You'll either need to read every DSA en detail and manually compare the list of upgraded/fixed packages with installed list or or just do "apt-get upgrade". -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'