Re: Package management and security
Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed. If a package cannot be upgraded without violating these constraints, it will be kept at its current version. Use the dist-upgrade command to upgrade these packages as well. dist-upgrade Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than upgrade and thus more likely to perform unwanted actions. Users are advised to either use upgrade instead or to carefully inspect the list of packages to be installed and removed. -- Riku
Re: Package management and security
The security team looks at the diffs for the patch to version 2 of the software, identifies the parts that fix the bug in version 1 and manually back port the bug fix to version 1. We end up with a Debian specific version that doesn¹t introduce new dependencies or features. This works with great success (through a huge amount of effort) the majority of the time. Some packages are more difficult to do this with then others (i.e. Firefox you can search the archives of this list for specific details about why). On 6/8/07 3:56 AM, Frédéric PICA [EMAIL PROTECTED] wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1 , a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed. If a package cannot be upgraded without violating these constraints, it will be kept at its current version. Use the dist-upgrade command to upgrade these packages as well. dist-upgrade Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than upgrade and thus more likely to perform unwanted actions. Users are advised to either use upgrade instead or to carefully inspect the list of packages to be installed and removed. -- Riku
Re: Package management and security
You want to use a combination of these commands at different times: apt-get -qq update # necessary, no email desired apt-get -dy upgrade # download minor updates, do not install, send email apt-get -yupgrade # install minor updates, send email apt-get -qqdy dist-upgrade # download major updates, do not install, no email apt-get -dy dist-upgrade # download major updates, do not install, send email apt-get -ydist-upgrade # install major updates, send email This is what I do: daily: apt-get -qq update apt-get -qqdy dist-upgrade apt-get -dy upgrade weekly: apt-get -yupgrade apt-get -dy dist-upgrade monthly: apt-get -ydist-upgrade The daily cron job does not install anything and does not send email. It just loads the cache with everything (-qqdy dist-upgrade) and sends email about security updates (-dy upgrade). The weekly job installs upgrades and sends email about what it did, and also about which dist-upgrade packages it has downloaded (but not installed). The montly job does a dist-upgrade (I'm ok with this) and sends email. This approach is easy to tweak. What is important is that you can choose to download and send email and *not* install; this gives you a notice about what is available but requires you to manually log in and install them. For an environment with more critical servers you would scale this back; use apt-get dist-upgrade (no -y) or possibly even apt-get upgrade (no -y), which will send you email but not install anything automatically. ~mark Frédéric PICA wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro- ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist- upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see thesection Managing Automatically Installed Packages in the aptitude reference manual); packages
Re: Package management and security
On Fri, Jun 08, 2007 at 09:56:09AM +0200, Frédéric PICA wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Don't do this :( The pace of change in Debian stable is very slow: as you correctly say, fixes are back ported and so on but it is still worth a human being checking what is to be upgraded - running this blind from a cron job may mean that you miss something important. Take the fact that Debian Sarge was updated 7 times over 2 1/2 years - the last time being just hours before release of Etch. Point releases fix security and serious packaging bugs - each point release probably only contained 30 - 50 packages over a period of a few months. apt-get update once a week to see how much has changed and whether it is worth your while: then update carefully. Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. This is fairly typical Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... 2 will probably be in testing, 1 will continue in stable. Critical fixes will be backported - if there are critical fixes which cannot be made, then it may be that the package will be considered for removal. This was one of the grounds for disagreement between Mozilla and Debian which led to Iceweasel: Mozilla don't want to support old versions, Debian don't want to just randomly change to new ones. And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. Fixed in testing, backported fix to stable is the rule. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Not automatically: quite often, in these situations, maintainers produce a package to ease transitions. Even if in 99% of the time, this will work great, I can't let this 1%. Given the scale and pace of change, it's not infeasible to check what will be updated and update methodically. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed.
Package management and security
Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP
Re: Package management and security
Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku
Re: Package management and security
On Thu, Jun 07, 2007 at 05:14:53PM +0300, Riku Valli wrote: Fr??d??ric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? afaik, nothing coming through in the security feed is going to introduce new package dependencies like this. I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, and you are cron-ing this how ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package management and security
Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku
Re: Package management and security
Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed. If a package cannot be upgraded without violating these constraints, it will be kept at its current version. Use the dist-upgrade command to upgrade these packages as well. dist-upgrade Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than upgrade and thus more likely to perform unwanted actions. Users are advised to either use upgrade instead or to carefully inspect the list of packages to be installed and removed. -- Riku
Re: Package management and security
* Frédéric PICA [EMAIL PROTECTED] wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? You could use the package cron-apt for this, it notifys you about the new upgraded packages and can be configured for your needs. Jens
Re: Package management and security
* [EMAIL PROTECTED] [EMAIL PROTECTED] [070607 16:21]: I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? afaik, nothing coming through in the security feed is going to introduce new package dependencies like this. Except sometimes kernels (and other things changing their ABI, though I doubt anything but the kernel will ever change that within a stable release). On the other hand, installing a kernel automatically alone will not fix the problem of an too old kernel running. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]