Bug#914172: Inquiry re "policy" of new dependencies (not hosted in sec repo) added when issuing security updates
Hi Salvatore, On 5/12/18 17:27, Salvatore Bonaccorso wrote: > I would acctually not recommend including only the security mirrors in > sources list. You will miss in such cases important updates as well > scheduled via a point releases. > > Does this helps? Yes that helps heaps! Thank you for the clarification! :) FWIW, this config has served us pretty well for ~10 years to only install security updates. But it seems that luck may have been a significant factor! With this info, we'll certainly need to reconsider how we do things as our current config was based on an incorrect understanding of security update "policy". Thanks again... Regards, Jeremy signature.asc Description: OpenPGP digital signature
Bug#914172: Inquiry re "policy" of new dependencies (not hosted in sec repo) added when issuing security updates
Hi Jeremy, On Wed, Dec 05, 2018 at 02:15:04PM +1100, Jeremy Davis wrote: > Hi, > > FYI TurnKey Linux is a Debian derivative which builds a library of > headless server "software appliances" using mostly Debian packages, but > many with upstream software pre-installed on top. > > I'm hoping to get some clarity on the "status" of the practice of adding > new dependencies (not included in the security repo) when providing > security related updated packages. > > For context, my question relates to a recent incident where ~70% of our > library automatically uninstalled MariaDB when the recent security > update[1] was released. If you want more detail, please see #914172[2]. > > [1] https://www.debian.org/security/2018/dsa-4341 > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172 > > The crux of it is that we have a daily automated update task which > installs packages exclusively from the security repo. The MariaDB > security update included a new dependency on 'libconfig-inifiles-perl' > (hosted in main, not security). > > As our config does not install packages from any repo other than > security, this caused MariaDB to be uninstalled (uninstallable > dependency causing apt to remove the package(s)). > > I.e. our current config assumes that any new dependencies for security > updates, would also be included in the security repo. > > If it is confirmed that this is expected (albeit uncommon) behaviour, we > need to adjust our current auto-update config as it is not safe! > > If instead, this was a mistake (human error) then we'd like to see how > we might be able to support the Security team to avoid this happening > again in the future. I have no idea what form this might take, but am > open to suggestions. The addition of the libconfig-inifiles-perl was an intentional change here, from the changelog entry: * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix mytop I would acctually not recommend including only the security mirrors in sources list. You will miss in such cases important updates as well scheduled via a point releases. Does this helps? Regards, Salvatore
Bug#914172: Inquiry re "policy" of new dependencies (not hosted in sec repo) added when issuing security updates
Hi, FYI TurnKey Linux is a Debian derivative which builds a library of headless server "software appliances" using mostly Debian packages, but many with upstream software pre-installed on top. I'm hoping to get some clarity on the "status" of the practice of adding new dependencies (not included in the security repo) when providing security related updated packages. For context, my question relates to a recent incident where ~70% of our library automatically uninstalled MariaDB when the recent security update[1] was released. If you want more detail, please see #914172[2]. [1] https://www.debian.org/security/2018/dsa-4341 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172 The crux of it is that we have a daily automated update task which installs packages exclusively from the security repo. The MariaDB security update included a new dependency on 'libconfig-inifiles-perl' (hosted in main, not security). As our config does not install packages from any repo other than security, this caused MariaDB to be uninstalled (uninstallable dependency causing apt to remove the package(s)). I.e. our current config assumes that any new dependencies for security updates, would also be included in the security repo. If it is confirmed that this is expected (albeit uncommon) behaviour, we need to adjust our current auto-update config as it is not safe! If instead, this was a mistake (human error) then we'd like to see how we might be able to support the Security team to avoid this happening again in the future. I have no idea what form this might take, but am open to suggestions. Regards, Jeremy signature.asc Description: OpenPGP digital signature