LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 09-14-2014, 06:35 AM   #1
Blaumieser
Member
 
Registered: Sep 2003
Distribution: aptosid
Posts: 40
Blog Entries: 3

Rep: Reputation: 15
Question Only install security updates for Debian Sid


Hi all,
I'm using aptosid which is based on Debian Sid. I normally use apt-get dist-upgrade to have a current system. But this often involves downloading and installing quite a large number of packages*. My question is therefore:

Does it make sense to upgrade/update only those packages that are security updates with this command:
Code:
apt-get install $(debsecan --suite sid --only-fixed --format packages)
This could be done more often and the dist-upgrade could be done in larger time intervals.

Thanks!
BM



* This not only takes a long time but also increases the risk of breakage of the system. I therefore found myself waiting quite long between dist-upgrades, but that also means that during that time security issues were not fixed, either.
 
Old 09-14-2014, 06:54 AM   #2
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Have you tried just upgrading instead of dist-upgrading? That should only update existing packages and not download and install new ones. Though running Sid (or a Sid based system) and not installing all the new updates seems to me to almost to defeat the object.
 
Old 09-14-2014, 07:57 AM   #3
Blaumieser
Member
 
Registered: Sep 2003
Distribution: aptosid
Posts: 40

Original Poster
Blog Entries: 3

Rep: Reputation: 15
Yes, I sometimes also checked apt-get upgrade but the number of packages was not that much smaller than from apt-get dist-upgrade. And I see your point that it may not exactly be the idea of sid to install security updates only and that stable/testing could be better choices then. The scenario I wanted to avoid was installing every single new minor version of every single package I have installed just to be up-to-date with the security fixes*. I don't know how often people to a dist-upgrade but I'm upgrading roughly once per month. That means that security fixes won't be installed for one month in the worst case. My idea was not about stopping dist-upgrades but doing security updates (with debsecan) more often in between the dist-upgrades.

I know that stable and also testing have special security support but sid has not for obvious reasons. I have no real idea how the security fixes are organized, so sorry if the following is awfully naive or just plain wrong, but is this possible?: In the beginning Package foo in version 1.0 is in stable and also in testing and sid. Then it gets updated to version 1.1 (-> going to sid, then later to testing but not to stable). Then a security issue is found in the stable version 1.0 which gets fixed in a version 1.0.1. Let's say that the same issue may be present in version 1.1, therefore the developer issues a version 1.2 which also fixes the problem. Package foo 1.2 then goes to sid (with flag "fixed" so that debsecan can find it) and again later it goes to testing.

If the former is somehow what's happening, then using debsecan makes sense to me to some extent. But if e.g. most of the time fixes are only done in the stable version (foo 1.0.1) and new versions in sid/testing do not necessarily consider issues found in stable versions (so version 1.2 still has the issue), then I'll probably will not be using debsecan.



* Just one example: If I understand the Debian changelog correctly, libreoffice was updated three times in August (4.3.0-2 -> 4.3.0-3 -> 4.3.1-1). And if I would have done a dist-upgrade (and also apt-get upgrade, right?) very frequently I probably would have installed all of them. And this was only for libreoffice...

Last edited by Blaumieser; 09-14-2014 at 07:58 AM. Reason: typo
 
Old 09-14-2014, 05:29 PM   #4
EmaRsk
Member
 
Registered: Mar 2006
Distribution: Mint, WSL Ubuntu
Posts: 134

Rep: Reputation: 32
In a recent Q&A at DebConf14, Linus Torvalds said that he doesn't mark any bug fix as a security fix for two reasons, one is that it would help the black hats, and the other, more relevant for this discussion, is that "you can turn pretty much every bug into a security bug" (video here, around 1:09:00).

In this light, would you have upgraded libreoffice or not?
 
Old 09-14-2014, 05:49 PM   #5
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,628

Rep: Reputation: 496Reputation: 496Reputation: 496Reputation: 496Reputation: 496
Sid is unstable. It gets the packages to build the new stable release first. They then go to testing if they do not have "release critical" bugs (ones that make the system not boot).

When you plan a new stable release you set a plan. This plan is for the release version and includes packages and the kernel version to be used.

When you build a new stable you build from the last stable version and slowly move up the ladder of building to get where you want to be.

All packages need to work with the kernel currently in use and a number of other packages that are basic to the system.

If you want to run Sid with no package upgrades don't upgrade any of them and reinstall every half year or so.

If you want a system with few package upgrades use Stable.

I run Sid. I run testing. I have an insane number of installs. My old box died in Feb and due to financial restraints I couldn't replace unttil a couple weeks ago. Slapped in my old drives and worked at way over due upgrades knowing the problems I was going to face.

I had some victim installs that I worked on first before dealing with my main testing and Sid installs. Completely wiped out three of them but did find the problem packages and some theories of doing the upgrade in pieces to get the core upgraded before the less important packages.

By not upgrading packages but doing and "apt-get install --reinstall <many package names>" I actually got my main Sid install to boot at the end. Didn't work well at all. Gave up and got the package list of installed packages and reinstalled it.

I did, after basically killing off 4 systems suceed in upgrading testing. Again using "install --reinstall" for things like the kernel and all of the xorg stuff and most of the DE base packages. And removing acpi and associated packages before doing anything.

This is what you will end up with if you do half assed update/upgrade cycles. Probably faster than not upgrading because your packages will be all different ages and not meant to work together. I would say you probably can get away with it for a couple months without seeing any problems. Maybe three. Then you will have some problem and decide to do the whole thing, probably close to 1000 packages by then, and end with, if you are lucky, a system that will drop you to a tty login.
 
Old 09-15-2014, 03:00 AM   #6
EmaRsk
Member
 
Registered: Mar 2006
Distribution: Mint, WSL Ubuntu
Posts: 134

Rep: Reputation: 32
Quote:
Originally Posted by widget View Post
"release critical" bugs (ones that make the system not boot).
No, this is not the definition of "release critical bugs" (here the correct one).


Quote:
When you build a new stable you build from the last stable version and slowly move up the ladder of building to get where you want to be.
No, the new stable is built from testing, not from the last stable (here the explanation).


Quote:
If you want to run Sid with no package upgrades don't upgrade any of them and reinstall every half year or so.

If you want a system with few package upgrades use Stable.
Quote:
I would say you probably can get away with it for a couple months without seeing any problems. Maybe three.
None of these is the goal of the OP.


Quote:
Originally Posted by Blaumieser
My idea was not about stopping dist-upgrades but doing security updates (with debsecan) more often in between the dist-upgrades.
 
Old 09-15-2014, 07:29 PM   #7
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid/Raspberry Pi OS(Buster)
Posts: 4,769
Blog Entries: 16

Rep: Reputation: 489Reputation: 489Reputation: 489Reputation: 489Reputation: 489
My suggestion would be to hold/pin Libreoffice. If you aren't sure how to that smxi can do it for you.
 
Old 09-15-2014, 08:35 PM   #8
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,148

Rep: Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496
Hi,

sorry if this is somewhat off topic, but it looks too me like you are using a distribution that is not suited to you. Have you considered using Debian stable?

Evo2.
 
Old 09-16-2014, 04:45 AM   #9
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, UK
Posts: 2,600
Blog Entries: 7

Rep: Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079
Quote:
Originally Posted by evo2 View Post
Hi,

sorry if this is somewhat off topic, but it looks too me like you are using a distribution that is not suited to you. Have you considered using Debian stable?

Evo2.
+1

You need to run the stable release as you want security updates only and you won't achieve this with Debian unstable or any Debian unstable based system.

Personally I think the approach to thread is backwards and would suggest that you simply state what you want to do and why you believe it's necessary to run a Debian unstable based system in order to do it.
 
Old 09-17-2014, 02:44 PM   #10
Blaumieser
Member
 
Registered: Sep 2003
Distribution: aptosid
Posts: 40

Original Poster
Blog Entries: 3

Rep: Reputation: 15
Thanks to all for your opinions!


Quote:
Originally Posted by EmaRsk View Post
In a recent Q&A at DebConf14, Linus Torvalds said that he doesn't mark any bug fix as a security fix for two reasons, one is that it would help the black hats, and the other, more relevant for this discussion, is that "you can turn pretty much every bug into a security bug" (video here, around 1:09:00).

In this light, would you have upgraded libreoffice or not?
Good point, great video!

Quote:
Originally Posted by widget View Post
Sid is unstable. It gets the packages to build the new stable release first. They then go to testing if they do not have "release critical" bugs (ones that make the system not boot).
[...]
Thanks for these insights, but as EmaRsk correctly pointed out, none of the scenarios really applies to my situation. But nonetheless, an interesting read!

Quote:
Originally Posted by craigevil View Post
My suggestion would be to hold/pin Libreoffice. If you aren't sure how to that smxi can do it for you.
Yes, I've thought about this, too, and it would indeed solve it for libreoffice. But there are so many of other "heavy" packages that would need also to be pinned. But thanks for bringing smxi back to my mind! If I remember correctly it was removed from sidux for whatever reason long time ago..

Quote:
Originally Posted by evo2 View Post
sorry if this is somewhat off topic, but it looks too me like you are using a distribution that is not suited to you. Have you considered using Debian stable?
Yes, I even used it some time ago as my main distribution, but I then for unspecified reasons I moved away from it.

Quote:
Originally Posted by cynwulf View Post
You need to run the stable release as you want security updates only and you won't achieve this with Debian unstable or any Debian unstable based system.
If you were reading only the subject line, then sorry that it does not completely reflect all details of the post itself which clearly says that I do not want to install security updates only all of the time.

Quote:
Originally Posted by cynwulf View Post
Personally I think the approach to thread is backwards and would suggest that you simply state what you want to do and why you believe it's necessary to run a Debian unstable based system in order to do it.
What I want to do: I use it as a personal desktop system.
Why I believe it's necessary to run a Debian unstable based system in order to do it: I don't believe that it is necessary.


So, to get back to the original point I think, I now see where the "confusion" may have come from: I did some g**gling around and a "normal" sid user seems to dist-upgrade several times a week, if not even daily - and with this background my question does not make much sense. As said, I usually dist-upgrade in several weeks intervals to keep the danger of breakage low (and out of laziness) but in an interesting thread on the Debian User Forums (started by craigevil ) someone posted distr-upgrading more often controls the danger of breakage better than doing it less often - but that is a different discussion.


BM
 
Old 09-18-2014, 02:12 AM   #11
EmaRsk
Member
 
Registered: Mar 2006
Distribution: Mint, WSL Ubuntu
Posts: 134

Rep: Reputation: 32
Blaumieser, what do you use to manage upgrades?
I ask this because in my opinion apt-get makes some things hard to do: you either upgrade all it wants to upgrade or you have to go though package pinning etc, which becomes quickly cumbersome.
If you never used aptitude in interactive mode (that is, call it without arguments), give it a try.
The learning curve is a bit steep but it's really worth it: you can easily inspect the upgrade list and hold back what you don't want to upgrade at the moment, and fixing dependencies issues is a breeze, too.
 
Old 09-18-2014, 02:15 PM   #12
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Waiting weeks between upgrades increases the risk of breakage instead of decreasing it. And breakage that does occur tends to be more severe than it would be with a frequent update schedule. True, nothing should break between updates, but the risk of something breaking increases exponentially, or thereabouts, with increases in time between updates. I've been running Sid for years, and I tell you this from bitter experience.
 
Old 09-18-2014, 02:26 PM   #13
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
To add another "me too" here -- I run Sid and dist-upgrade every day which tends to mean that if something breaks it only does so for that day. When the developers do things like move the NVIDIA drivers between parts of the repository it does break things and that may not have been noticed had I dist-upgraded a few days later but I'm not entirely convinced it would have gone without a hitch and the large number of updates may have made it harder to track down what happened.
I also get the impression that there are very few security updates to Sid at all as I subscribe to the Debian Security mailing list and the Sid updates don't really match them in the same way that the Stable updates do -- with Sid sometimes they go unpatched for a while and sometimes they were just part of another upgrade a couple of increments ago.
The above is all experience though and not analysis and I certainly don't know enough about things to make any definite statements.
 
Old 09-21-2014, 01:46 PM   #14
Blaumieser
Member
 
Registered: Sep 2003
Distribution: aptosid
Posts: 40

Original Poster
Blog Entries: 3

Rep: Reputation: 15
Thanks EmaRsk, sgosnell and 273 for your input!

@EmaRsk: Thanks also for the hint to aptitude. I'll give it a try. I have read that one should stick to the package manager that one started with after installation because it can cause strange results. Can I safely switch to aptitude after using apt-get all the time?

BM
 
Old 09-21-2014, 10:13 PM   #15
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Yes, either aptitude or apt-get will work fine. It's just a matter of personal preference. I prefer apt-get, but others prefer aptitude. I've used both, and both work, but I usually use what I'm used to, just because I'm used to it.
 
  


Reply

Tags
debian.sid.unstable, security, updates


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Updates for Debian 6.0.5 Stable Ztcoracat Linux - Security 2 09-16-2012 12:55 AM
updates and additions to Debian SID utanja Debian 2 04-02-2010 04:12 PM
Debian sid serious proxy error after latest updates! jackgu1988 Linux - Software 12 12-08-2009 11:53 AM
Debian Security Updates aquaboot Debian 6 01-12-2008 07:47 PM
Security updates for debian bigeeguy Linux - Newbie 1 04-05-2004 12:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 11:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration