On Thu, Jul 22, 2021 at 04:00:26PM +0200, Marco Möller wrote: > On 22.07.21 13:49, Tixy wrote: > > On Thu, 2021-07-22 at 12:23 +0200, Marco Möller wrote: > > > Hello everyone! The Debian development branch "bullseye"(/testing) is in > > > status "full freeze", if I am correctly informed, and packages from > > > /unstable are for quite some time already no more automatically moved > > > from /unstable to /testing. > > > Do you know how Debian handles situations like the current > > > CVE-2021-33909 patched kernel being already in /unstable but for sure > > > also /testing, the soon /stable, would benefit from receiving the patch > > > as provided in 5.10.46-2 ? > > > The patched version I am speaking about is this: > > > linux-image-5.10.0-8-amd64/unstable 5.10.46-2 amd64 > > > In my "bullseye" installation, which I update daily, I still have > > > linux-image-5.10.0-7-amd64/testing,now 5.10.40-1 amd64 > > > > 5.10.46-2 is now in testing, I've just updated to it. > > > > Presumably the process is as described in full freeze announcement, > > i.e. package developer makes unblock request to allow migration into > > testing and release team grant it if they think it meets the criteria > > for release. > > > > It meanwhile arrived also in the mirror which I am using. Nice. > > So, although it is full freeze time, the former kernel with all its already > known and tested functionality will not be specially patched, but the new > kernel is taken although it besides containing the patch might also bring > changed functionality? > Simply asking for curiosity, not that it would be of further importance for > me. >
That's how it works. Normally, unstable -> testing would just migrate. Security fixes to stable would be made in the normal course of events. Bullseye / Debian 11 is now in really hard freeze - ready for release very shortly. So security fixes are more or less the only things going in. Each of them is hand approved so as not to break everything else. The very latest kernel/systemd security update is a big deal - so it got hand approved very quickly. In general, any bug fixed package overrides all the files of the previous package: if there's a package foo-1.0.0 and foo1.0.1 is a security fix, foo1.0.1 wll replace all the previous files from foo1.0.0. There are exceptions, especially where there are modified configuration files: in that case, there will normally be a question asked sa to whether to update the files or not. In some cases, the new package will leave a sample config file (with a dpkg.new extension, I think) in the correct place to be looked at and edited as necessary. All the very best, as ever, Andy Cater
