[SOLVED] Unannounced updates?

yngvarr · 01-01-2017, 10:15 AM

I got following updates, but these are not mentioned on Slackware security mailing list:

glibc-zoneinfo-2016j-noarch-1_slack14.2.txz
intltool-0.51.0-x86_64-3_slack14.2.txz
xfce4-weather-plugin-0.8.8-x86_64-1_slack14.2.txz

I did find some of them on launchpad.net, but not on official web sites. Is this some usual thing, to have updates without official notice, and how can I make sure that there isn't someone messing up with mirror I use, if I can't rely on official announcements to be complete?

Alien Bob · 01-01-2017, 10:30 AM

Not every update to a Slackware stable release is a security update per se. It's usually a security update, but the cases you mention are not.
The glibc-zoneinfo, intltool and xfce4-weather-plugin updates were courtesy updates.

You can read the reasons for these updates in the Slackware 14.2 ChangeLog.txt.

bbuske · 01-01-2017, 10:33 AM

Hello and welcome to the forums,

From what I have seen and known, patches announcement is different depending on the distro. I know, that for openSUSE, I only receive email notifications about security fixes, not so about any other patch that is posted. I suppose it would also depend of whom is responsible for the patches. Is it an official Slackware repository (Sorry I am not using Slackware myself) or is it a third party one. If it is a third party one, there might be a different website or place to get release notes and update information from.

Regarding checking them: First of all, you can and certainly should check, if they are signed by a valid key and if the Checksum is what it should be. If you still have reasonable doubt, I suppose you could check back with Slackware themselves or their community, to have it verified this way.

There are some very experienced Slackware users around here, you will probably get some additional input as well.

Happy new year!

yngvarr · 01-01-2017, 12:09 PM

Thanks for answers, tips and welcome. I always assumed that stable release updates are security ones, so these got me a bit confused. Especially because I couldn't find them on official sites. I'm not so new with Slackware (IIRC, my first install was 0.99r14 in 1994.), but I think I have never, until 14.2, tried to update the running system. My cycle for most Slackware releases was: new Slack yay, install and ... forget. Usually followed by partition removal to make space for more Windows garbage.

Now, yes, ChangeLog.txt. One that I saw mentioned already in posts, but managed to forget about it.

MadMaverick9 · 01-01-2017, 10:57 PM

Quote:

Originally Posted by yngvarr

... how can I make sure that there isn't someone messing up with mirror I use ...

So much talk, but no real answer ...

Code:

bash $ gpg --verify patches/packages/xfce4-weather-plugin-0.8.8-i486-1_slack14.0.txz.asc
gpg: assuming signed data in `patches/packages/xfce4-weather-plugin-0.8.8-i486-1_slack14.0.txz'
gpg: Signature made 2016-12-24T08:38:34 ICT using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"

Code:

bash $ gpg --verify patches/CHECKSUMS.md5.asc
gpg: assuming signed data in `patches/CHECKSUMS.md5'
gpg: Signature made 2016-12-29T04:06:54 ICT using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
bash $ cd patches/ ; tail +13 CHECKSUMS.md5 | md5sum -c

The ".asc" files are there for a reason.

Happy New Year, Pat!! And Thank You!!