Re: Package management and security

[Andrew M.A. Cater]

On Fri, Jun 08, 2007 at 09:56:09AM +0200, Frédéric PICA wrote:
> Ok, so apt-get update/upgrade -y in a cron job will work but what about my
> first question ?

Don't do this :(  The pace of change in Debian stable is very slow: as 
you correctly say, fixes are back ported and so on but it is still worth 
a human being checking what is to be upgraded - running this blind from 
a cron job may mean that you miss something important. 

Take the fact that Debian Sarge was updated 7 times over 2 1/2 years - 
the last time being just hours before release of Etch. Point releases 
fix security and serious packaging bugs - each point release probably 
only contained 30 - 50 packages over a period of a few months. apt-get 
update once a week to see how much has changed and whether it is worth 
your while: then update carefully.

> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated
> to foo-1.0.1 for bugfix reason.

This is fairly typical
> Meanwhile the author of foo release version 2, debian stable will not
> upgrade the package because the version 2 add more features, have new
> dependencies, ...

2 will probably be in testing, 1 will continue in stable. Critical fixes
will be backported - if there are critical fixes which cannot be made, 
then it may be that the package will be considered for removal. This was 
one of the grounds for disagreement between Mozilla and Debian which led 
to Iceweasel: Mozilla don't want to support old versions, Debian don't 
want to just randomly change to new ones.

> And now, the author release version 2.1, a critical security fix, there is a
> flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the
> security fix but that time it's not possible so they have no other choice to
> package version 2.1 in the security channel.

Fixed in testing, backported fix to stable is the rule.

> As version 2.1 has new dependencies requirements wich are not installed,
> apt-get upgrade will not update that package, right ?
> 

Not automatically: quite often, in these situations, maintainers produce 
a package to ease transitions.

> Even if in 99% of the time, this will work great, I can't let this 1%.

Given the scale and pace of change, it's not infeasible to check what 
will be updated and update methodically.

> I could let this 1% risk only if I have a way to be warned, the server
> sending me automatically a mail for example, but I think there is no way to
> do that because there is no way to interface ourself with apt (no plugin
> system at that time)
> 
> I am right ?
> 
> FP
> 
> 2007/6/7, Riku Valli <[EMAIL PROTECTED]>:
> >
> >Frédéric PICA wrote:
> >> Thanks for your answer,
> >>
> >> So I need to do an apt-get dist-upgrade in my cron job to be sure to
> >> always have the latest security fixes ?
> >> What's the risk to have a needed package uninstalled by that way ?
> >>
> >> My goal is to have the latest security fixes for a server, but I have
> >> to be sure that dist-upgrade will not broke my server by removing
> >> needed pacakges, for example mod_php for apache or things like that.
> >>
> >> FP
> >>
> >> 2007/6/7, Riku Valli <[EMAIL PROTECTED]
> >> >:
> >>
> >> Frédéric PICA wrote:
> >> > Greets,
> >> >
> >> > I saw in 'man apt-get' that using apt-get upgrade does not
> >> install new
> >> > packages or remove an already installed package.
> >> > Is it possible that I did'nt get the latest security fixes using
> >> > apt-get upgade in a cron job ?
> >> > I think particularly about security fixes that can't be
> >retro-ported
> >> > to the debian stable version and needs to upgrade the package to
> >the
> >> > latest author available version, what's going on if the package
> >> > dependencies changes ? Does the security patched will be installed
> >> > with it's new dependencies anyway or does the package will not be
> >> > upgraded ?
> >> >
> >> > Thanks for your help,
> >> > FP
> >> >
> >> >
> >> Hi
> >>
> >> apt-get upgrade only upgrade your packages for newer version. When
> >> package is upgraded this way at it need new extra packages, then
> >> upgrade
> >> can't upgrade your package. You must install it.
> >>
> >>
> >> -- Riku
> >>
> >>
> >Hi
> >
> >In normal case when you used Debian stable. You made only update/upgrade
> >and possible need switch -y (assume yes for every question). At stable
> >debencies normally never changes. This dist-upgrade is (at stable) only
> >used when you updated Debian releases from older to newer.
> >
> >Older stable there was only one kernel upgrade which needed manually
> >intervention.
> >
> >Maybe this is better explained man aptitude, see below.
> >
> >  upgrade
> >   Upgrades installed packages to their most recent version.
> >Installed
> >   packages will not be removed unless 

Re: Package management and security

[Mark Lanett]

You want to use a combination of these commands at different times:

apt-get -qq   update   # necessary, no email desired

apt-get -dy   upgrade  # download minor updates, do not install, send
email
apt-get -yupgrade  # install minor updates, send email

apt-get -qqdy dist-upgrade # download major updates, do not install, no
email
apt-get -dy   dist-upgrade # download major updates, do not install, send
email
apt-get -ydist-upgrade # install major updates, send email



This is what I do:

daily:
apt-get -qq   update   &&
apt-get -qqdy dist-upgrade &&
apt-get -dy   upgrade

weekly:
apt-get -yupgrade  &&
apt-get -dy   dist-upgrade

monthly:
apt-get -ydist-upgrade

The daily cron job does not install anything and does not send email. It
just loads the cache with everything (-qqdy dist-upgrade) and sends email
about security updates (-dy upgrade).
The weekly job installs upgrades and sends email about what it did, and also
about which dist-upgrade packages it has downloaded (but not installed).
The montly job does a dist-upgrade (I'm ok with this) and sends email.

This approach is easy to tweak. What is important is that you can choose to
download and send email and *not* install; this gives you a notice about
what is available but requires you to manually log in and install them.

For an environment with more critical servers you would scale this back; use
apt-get dist-upgrade (no -y) or possibly even apt-get upgrade (no -y), which
will send you email but not install anything automatically.

~mark


Frédéric PICA wrote:
> Ok, so apt-get update/upgrade -y in a cron job will work but what
> about my first question ?
> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0
> updated to foo-1.0.1 for bugfix reason.
> Meanwhile the author of foo release version 2, debian stable will not
> upgrade the package because the version 2 add more features, have new
> dependencies, ...
> And now, the author release version 2.1, a critical security fix,
> there is a flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the
> security fix but that time it's not possible so they have no other
> choice to package version 2.1 in the security channel.
> As version 2.1 has new dependencies requirements wich are not
> installed, apt-get upgrade will not update that package, right ?
>
> Even if in 99% of the time, this will work great, I can't let this 1%.
> I could let this 1% risk only if I have a way to be warned, the server
> sending me automatically a mail for example, but I think there is no
> way to do that because there is no way to interface ourself with apt
> (no plugin system at that time)
>
> I am right ?
>
> FP
>
> 2007/6/7, Riku Valli <[EMAIL PROTECTED]>:
>>
>> Frédéric PICA wrote:
>>> Thanks for your answer,
>>>
>>> So I need to do an apt-get dist-upgrade in my cron job to be sure to
>>> always have the latest security fixes ?
>>> What's the risk to have a needed package uninstalled by that way ?
>>>
>>> My goal is to have the latest security fixes for a server, but I
>>> have to be sure that dist-upgrade will not broke my server by
>>> removing needed pacakges, for example mod_php for apache or things
>>> like that.
>>>
>>> FP
>>>
>>> 2007/6/7, Riku Valli <[EMAIL PROTECTED]
>>> >:
>>>
>>> Frédéric PICA wrote:
>>> > Greets,
>>> >
>>> > I saw in 'man apt-get' that using apt-get upgrade does not
>>> install new
>>> > packages or remove an already installed package.
>>> > Is it possible that I did'nt get the latest security fixes
>>> using > apt-get upgade in a cron job ?
>>> > I think particularly about security fixes that can't be retro-
>>> ported > to the debian stable version and needs to upgrade the
>>> package to the > latest author available version, what's going
>>> on if the package > dependencies changes ? Does the security
>>> patched will be installed > with it's new dependencies anyway
>>> or does the package will not be > upgraded ?
>>> >
>>> > Thanks for your help,
>>> > FP
>>> >
>>> >
>>> Hi
>>>
>>> apt-get upgrade only upgrade your packages for newer version.
>>> When package is upgraded this way at it need new extra
>>> packages, then upgrade
>>> can't upgrade your package. You must install it.
>>>
>>>
>>> -- Riku
>>>
>>>
>> Hi
>>
>> In normal case when you used Debian stable. You made only
>> update/upgrade and possible need switch -y (assume yes for every
>> question). At stable debencies normally never changes. This dist-
>> upgrade is (at stable) only used when you updated Debian releases
>> from older to newer.
>>
>> Older stable there was only one kernel upgrade which needed manually
>> intervention.
>>
>> Maybe this is better explained man aptitude, see below.
>>
>>   upgrade
>>Upgrades installed packages to their 

Re: Package management and security

[John Wright]

The security team looks at the diffs for the patch to version 2 of the
software, identifies the parts that fix the bug in version 1 and manually
back port the bug fix to version 1. We end up with a Debian specific version
that doesn¹t introduce new dependencies or features. This works with great
success (through a huge amount of effort) the majority of the time. Some
packages are more difficult to do this with then others (i.e. Firefox ­ you
can search the archives of this list for specific details about why).


On 6/8/07 3:56 AM, "Frédéric PICA" <[EMAIL PROTECTED]> wrote:

> Ok, so apt-get update/upgrade -y in a cron job will work but what about my
> first question ?
> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to
> foo-1.0.1 for bugfix reason.
> Meanwhile the author of foo release version 2, debian stable will not upgrade
> the package because the version 2 add more features, have new dependencies,
> ...
> And now, the author release version 2.1 , a critical security fix, there is a
> flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the security
> fix but that time it's not possible so they have no other choice to package
> version 2.1 in the security channel.
> As version 2.1 has new dependencies requirements wich are not installed,
> apt-get upgrade will not update that package, right ?
> 
> Even if in 99% of the time, this will work great, I can't let this 1%.
> I could let this 1% risk only if I have a way to be warned, the server sending
> me automatically a mail for example, but I think there is no way to do that
> because there is no way to interface ourself with apt (no plugin system at
> that time) 
> 
> I am right ?
> 
> FP
> 
> 2007/6/7, Riku Valli <[EMAIL PROTECTED]>:
>> Frédéric PICA wrote:
>>> > Thanks for your answer,
>>> >
>>> > So I need to do an apt-get dist-upgrade in my cron job to be sure to
>>> > always have the latest security fixes ?
>>> > What's the risk to have a needed package uninstalled by that way ?
>>> >
>>> > My goal is to have the latest security fixes for a server, but I have
>>> > to be sure that dist-upgrade will not broke my server by removing
>>> > needed pacakges, for example mod_php for apache or things like that.
>>> >
>>> > FP
>>> >
>>> > 2007/6/7, Riku Valli <[EMAIL PROTECTED]
>>> > >:
>>> > 
>>> > Frédéric PICA wrote:
 > > Greets,
 > >
 > > I saw in 'man apt-get' that using apt-get upgrade does not
>>> > install new
 > > packages or remove an already installed package.
 > > Is it possible that I did'nt get the latest security fixes using
 > > apt-get upgade in a cron job ?
 > > I think particularly about security fixes that can't be
 retro-ported 
 > > to the debian stable version and needs to upgrade the package to
the
 > > latest author available version, what's going on if the package
 > > dependencies changes ? Does the security patched will be installed
 > > with it's new dependencies anyway or does the package will not be
 > > upgraded ?
 > >
 > > Thanks for your help,
 > > FP
 > >
 > > 
>>> > Hi
>>> >
>>> > apt-get upgrade only upgrade your packages for newer version. When
>>> > package is upgraded this way at it need new extra packages, then
>>> > upgrade
>>> > can't upgrade your package. You must install it.
>>> >
>>> >
>>> > -- Riku
>>> >
>>> >
>> Hi
>> 
>> In normal case when you used Debian stable. You made only update/upgrade
>> and possible need switch -y (assume yes for every question). At stable
>> debencies normally never changes. This dist-upgrade is (at stable) only
>> used when you updated Debian releases from older to newer.
>> 
>> Older stable there was only one kernel upgrade which needed manually
>> intervention.
>> 
>> Maybe this is better explained man aptitude, see below.
>> 
>>   upgrade
>>Upgrades installed packages to their most recent version.
>> Installed
>>packages will not be removed unless they are unused (see the
>>section "Managing Automatically Installed Packages" in the
>> aptitude
>>reference manual); packages which are not currently installed
>> will
>>not be installed.
>> 
>>If a package cannot be upgraded without violating these
>>constraints, it will be kept at its current version. Use the
>>dist-upgrade command to upgrade these packages as well.
>> 
>>  dist-upgrade
>>Upgrades installed packages to their most recent version,
>> removing
>>or installing packages as necessary. This command is less
>>conservative than upgrade and thus more likely to perform
>>unwanted actions. Users are advised to either use upgrade
>>instead or to c

Re: Package management and security

[Frédéric PICA]

Ok, so apt-get update/upgrade -y in a cron job will work but what about my
first question ?
Lets say debian stable has foo-1.0 package.
I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated
to foo-1.0.1 for bugfix reason.
Meanwhile the author of foo release version 2, debian stable will not
upgrade the package because the version 2 add more features, have new
dependencies, ...
And now, the author release version 2.1, a critical security fix, there is a
flaw found from version 1 to 2.
The debian security team does it's work and first try to backport the
security fix but that time it's not possible so they have no other choice to
package version 2.1 in the security channel.
As version 2.1 has new dependencies requirements wich are not installed,
apt-get upgrade will not update that package, right ?

Even if in 99% of the time, this will work great, I can't let this 1%.
I could let this 1% risk only if I have a way to be warned, the server
sending me automatically a mail for example, but I think there is no way to
do that because there is no way to interface ourself with apt (no plugin
system at that time)

I am right ?

FP

2007/6/7, Riku Valli <[EMAIL PROTECTED]>:


Frédéric PICA wrote:
> Thanks for your answer,
>
> So I need to do an apt-get dist-upgrade in my cron job to be sure to
> always have the latest security fixes ?
> What's the risk to have a needed package uninstalled by that way ?
>
> My goal is to have the latest security fixes for a server, but I have
> to be sure that dist-upgrade will not broke my server by removing
> needed pacakges, for example mod_php for apache or things like that.
>
> FP
>
> 2007/6/7, Riku Valli <[EMAIL PROTECTED]
> >:
>
> Frédéric PICA wrote:
> > Greets,
> >
> > I saw in 'man apt-get' that using apt-get upgrade does not
> install new
> > packages or remove an already installed package.
> > Is it possible that I did'nt get the latest security fixes using
> > apt-get upgade in a cron job ?
> > I think particularly about security fixes that can't be
retro-ported
> > to the debian stable version and needs to upgrade the package to
the
> > latest author available version, what's going on if the package
> > dependencies changes ? Does the security patched will be installed
> > with it's new dependencies anyway or does the package will not be
> > upgraded ?
> >
> > Thanks for your help,
> > FP
> >
> >
> Hi
>
> apt-get upgrade only upgrade your packages for newer version. When
> package is upgraded this way at it need new extra packages, then
> upgrade
> can't upgrade your package. You must install it.
>
>
> -- Riku
>
>
Hi

In normal case when you used Debian stable. You made only update/upgrade
and possible need switch -y (assume yes for every question). At stable
debencies normally never changes. This dist-upgrade is (at stable) only
used when you updated Debian releases from older to newer.

Older stable there was only one kernel upgrade which needed manually
intervention.

Maybe this is better explained man aptitude, see below.

  upgrade
   Upgrades installed packages to their most recent version.
Installed
   packages will not be removed unless they are unused (see the
   section "Managing Automatically Installed Packages" in the
aptitude
   reference manual); packages which are not currently installed
will
   not be installed.

   If a package cannot be upgraded without violating these
   constraints, it will be kept at its current version. Use the
   dist-upgrade command to upgrade these packages as well.

 dist-upgrade
   Upgrades installed packages to their most recent version,
removing
   or installing packages as necessary. This command is less
   conservative than upgrade and thus more likely to perform
   unwanted actions. Users are advised to either use upgrade
   instead or to carefully inspect the list of packages to be
   installed and removed.


-- Riku

Re: Package management and security

[Bernhard R. Link]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [070607 16:21]:
> > >I saw in 'man apt-get' that using apt-get upgrade does not install new
> > >packages or remove an already installed package.
> > >Is it possible that I did'nt get the latest security fixes using
> > >apt-get upgade in a cron job ?
>
> afaik, nothing coming through in the security feed is going to introduce
> new package dependencies like this.

Except sometimes kernels (and other things changing their ABI, though I
doubt anything but the kernel will ever change that within a stable release).

On the other hand, installing a kernel automatically alone will not fix
the problem of an too old kernel running.

Hochachtungsvoll,
Bernhard R. Link


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package management and security

[Jens Schüßler]

* Frédéric PICA <[EMAIL PROTECTED]> wrote:
> Thanks for your answer,
> 
> So I need to do an apt-get dist-upgrade in my cron job to be sure to always
> have the latest security fixes ?
> What's the risk to have a needed package uninstalled by that way ?

You could use the package cron-apt for this, it notifys you about the new
upgraded packages and can be configured for your needs.

Jens

Re: Package management and security

[Riku Valli]

Frédéric PICA wrote:

Thanks for your answer,

So I need to do an apt-get dist-upgrade in my cron job to be sure to 
always have the latest security fixes ?

What's the risk to have a needed package uninstalled by that way ?

My goal is to have the latest security fixes for a server, but I have 
to be sure that dist-upgrade will not broke my server by removing 
needed pacakges, for example mod_php for apache or things like that.


FP

2007/6/7, Riku Valli <[EMAIL PROTECTED] 
>:


Frédéric PICA wrote:
> Greets,
>
> I saw in 'man apt-get' that using apt-get upgrade does not
install new
> packages or remove an already installed package.
> Is it possible that I did'nt get the latest security fixes using
> apt-get upgade in a cron job ?
> I think particularly about security fixes that can't be retro-ported
> to the debian stable version and needs to upgrade the package to the
> latest author available version, what's going on if the package
> dependencies changes ? Does the security patched will be installed
> with it's new dependencies anyway or does the package will not be
> upgraded ?
>
> Thanks for your help,
> FP
>
>
Hi

apt-get upgrade only upgrade your packages for newer version. When
package is upgraded this way at it need new extra packages, then
upgrade
can't upgrade your package. You must install it.


-- Riku



Hi

In normal case when you used Debian stable. You made only update/upgrade 
and possible need switch -y (assume yes for every question). At stable 
debencies normally never changes. This dist-upgrade is (at stable) only 
used when you updated Debian releases from older to newer.


Older stable there was only one kernel upgrade which needed manually 
intervention.


Maybe this is better explained man aptitude, see below.

 upgrade
  Upgrades installed packages to their most recent version. 
Installed

  packages will not be removed unless they are unused (see the
  section "Managing Automatically Installed Packages" in the 
aptitude
  reference manual); packages which are not currently installed 
will

  not be installed.

  If a package cannot be upgraded without violating these
  constraints, it will be kept at its current version. Use the
  dist-upgrade command to upgrade these packages as well.

dist-upgrade
  Upgrades installed packages to their most recent version, 
removing

  or installing packages as necessary. This command is less
  conservative than upgrade and thus more likely to perform
  unwanted actions. Users are advised to either use upgrade
  instead or to carefully inspect the list of packages to be
  installed and removed.


-- Riku

Re: Package management and security

[Frédéric PICA]

Thanks for your answer,

So I need to do an apt-get dist-upgrade in my cron job to be sure to always
have the latest security fixes ?
What's the risk to have a needed package uninstalled by that way ?

My goal is to have the latest security fixes for a server, but I have to be
sure that dist-upgrade will not broke my server by removing needed pacakges,
for example mod_php for apache or things like that.

FP

2007/6/7, Riku Valli <[EMAIL PROTECTED]>:


Frédéric PICA wrote:
> Greets,
>
> I saw in 'man apt-get' that using apt-get upgrade does not install new
> packages or remove an already installed package.
> Is it possible that I did'nt get the latest security fixes using
> apt-get upgade in a cron job ?
> I think particularly about security fixes that can't be retro-ported
> to the debian stable version and needs to upgrade the package to the
> latest author available version, what's going on if the package
> dependencies changes ? Does the security patched will be installed
> with it's new dependencies anyway or does the package will not be
> upgraded ?
>
> Thanks for your help,
> FP
>
>
Hi

apt-get upgrade only upgrade your packages for newer version. When
package is upgraded this way at it need new extra packages, then upgrade
can't upgrade your package. You must install it.


-- Riku

Re: Package management and security

[paddy]

On Thu, Jun 07, 2007 at 05:14:53PM +0300, Riku Valli wrote:
> Fr??d??ric PICA wrote:
> >Greets,
> >
> >I saw in 'man apt-get' that using apt-get upgrade does not install new 
> >packages or remove an already installed package.
> >Is it possible that I did'nt get the latest security fixes using 
> >apt-get upgade in a cron job ?

afaik, nothing coming through in the security feed is going to introduce
new package dependencies like this.

> >I think particularly about security fixes that can't be retro-ported 
> >to the debian stable version and needs to upgrade the package to the 
> >latest author available version, 

and you are cron-ing this how ?

Regards,
Paddy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package management and security

[Riku Valli]

Frédéric PICA wrote:

Greets,

I saw in 'man apt-get' that using apt-get upgrade does not install new 
packages or remove an already installed package.
Is it possible that I did'nt get the latest security fixes using 
apt-get upgade in a cron job ?
I think particularly about security fixes that can't be retro-ported 
to the debian stable version and needs to upgrade the package to the 
latest author available version, what's going on if the package 
dependencies changes ? Does the security patched will be installed 
with it's new dependencies anyway or does the package will not be 
upgraded ?


Thanks for your help,
FP



Hi

apt-get upgrade only upgrade your packages for newer version. When 
package is upgraded this way at it need new extra packages, then upgrade 
can't upgrade your package. You must install it.



-- Riku