FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

LinkBack Thread Tools
Old 01-29-2010, 03:48 PM
"Boyd Stephen Smith Jr."
Default Installation of packages from backports, unstable and stable.

On Friday 29 January 2010 08:11:06 Osamu Aoki wrote:
> Thanks for enthusiastic promotion of Debian unstable.

What? No. I don't run unstable. I run stable on my servers (this can be
verified by checking /etc/debian-release or the version number of a random
sampling of packages) and testing on my desktop (I had to have KDE 4; same
verification process).

The output of aptitude in the middle of a library transition in unstable kinda
freaks me out. Also, mixed systems like mine are very sensitive the ABI
compatibility guaranteed by Debian policy, and unstable breaks ABI far more
often than testing.

> Please remember there are people behind packages and APT system only
> uses information provided by them. Overly confident on Debian system
> beyond its providers is not good for you.

I also know that many eyes watch Debian packages, and that Debian provides a
lot of tools to verify packages match policy. Yes, there are going to be
mistakes, but when Debian policy is followed, running a mixed system is not a

> You know we run the stable system on most Debian servers.

I run stable on my servers as well.

> Have you
> thought about the reason behind why we have backports.org and we AS
> Debian use backports.org packages for partial upgrades of our stable
> servers?

They provide newer upstream versions (which may include new features, or fix
issues that are not generally release-critical but may be important to this
server) without requiring a library transition. Depending on how long it has
been since stable has been released, some libraries could have made an ABI
transition. When that happens, pulling a package from testing may require
unwanted upgrades (both of libraries and even unrelated applications) in order
to satisfy all dependencies. Backports policy for package is different than
testing, so this is not an issue with backports.

> If things always work just using multiple archives with
> preferences and aptitude, .... we do not need backports.org packages
> for Debian servers. We can just have unstable.

That's not true at all. Backports serves a very important role, which is why
I have my apt preferences set to use backports for things before using
testing/unstable/experimental. Backports isn't just another testing with a
longer bug delay or where lower priority bugs prevent automatic package
transition, it has a different policy on how different it can be from stable,
and I applaud the goals of making backports (and volatile) part of the
official mirror system.

> On Wed, Jan 27, 2010 at 08:45:13AM -0600, Boyd Stephen Smith Jr. wrote:
> > In <20100127131300.GE6468@osamu.debian.net>, Osamu Aoki wrote:
> > >> Do I need to create a preference file ?...
> > >
> > >These are tricks to fool APT.
> >
> > Not "fool".
> You are free to disagree.

"fooling" APT would be communicating information to APT that was either
incorrect or more simplistic that what APT would normally use. I am using my
apt preferences file to provide APT with accurate additional information that
it did not have before, hardly "fooling" it.

> But we as Debian packagers assume users to
> use DEFAULT configuration and try to guarantee proper function under such
> condition.

Right, (I hope) no one expects the package maintainers to test every possible

> Debian provides you with lots of tools to override package
> maintainer judgement and expectation.

This doesn't override maintainer judgement. It doesn't say "assume package X
is installed"; it doesn't say "satisfy dependencies for package X with package

It may not be their expectation, but every system is mixed in the middle of an
upgrade, so some part of their expectation covers a mixed system.

It does increase the pool of packages available, but it doesn't go outside the
official and semi-official repositories -- where Debian policy guarantees
upgrades from a stable package to a backports package to a testing package to
a unstable package with work.

> This does not guarantee your
> action is the right one.

Oh, I agree. A stable system is fully "supported" while mixed systems are not
"supported". Of course, since backports is not an official repository it is
also not "supported".

At least, that's policy.

Truth is, a pure stable system is something few users are ultimately happy
with as a desktop. Adding backports might get you the package you were hoping
for. Adding debian-multimedia can make things a lot easier as far as dealing
with the randomness of file formats available on the Internet. At some point
the may, like myself, start backporting packages themselves for private use
using a stable pbuilder set-up, with lintian and piuparts.

At all these points, you can basically get the same level of support for you
system. The forums and mailing lists are still open to all and few will
refuse to advise you because you've got a non-stable system. Even bugs.d.o
remains a resource, at least until your problem touches on a specific package
that some maintainer doesn't trust.

Eventually though, they may find that the package version they want, whether
it fixes a pet bug or it is just some "new hotness", is not in their favorite,
mostly compatible repositories. It doesn't appear to be backportable as it
clearly uses API that's not in the stable library headers.

They could upgrade wholesale to testing or unstable, but that can lead to far
more instability (not crashing, just frequent [and sometimes troublesome]
upgrades) than they are ready for. A mixed system is great in this case.

> Please
> run packages under pure unstable system if possible to report bugs.

That's *NOT* Debian policy. DDs are responsible for *all* their official
package versions, not just unstable.

> (Please do not feel bad. You are not alone making this
> misunderstanding.)

Please provide a Debian policy document reference that says DDs get to ignore
testing and stable.

> Please note that I install some unstable packages which I know they
> should work, like most bash programs, to my stable system.

I avoid unstable for the most part. I would much rather pull a package from
backports or testing than unstable.

> > >If not, it is best not to do this kind of mixed system to avoid
> > >problem.
> >
> > Having run a mixed desktop and 2 mixed servers since before Lenny was
> > released, I disagree with this statement. It allows the packages whose
> > development I'm not currently following is remain dependable (pulled from
> > stable or at least testing) while letting me pull packages with new,
> > shiny features that I must try from unstable or experimental.
> Lucky you. This is just your case.

The main avenue for support for mixed systems is just as reliable as the main
avenue for support for pure-stable or pure-unstable systems: the mailing lists
and forums.

Things are *less likely* to break in a mixed stable/backports/testing/unstable
environment than in the purely unstable environment. The list archives bears
that fact out.

> > I really do find it to be a best-of-both-worlds situation. My
> > configuration is documented at http://iguanasuicide.net/node/4.
> Recently, many packages are built with strict version dependencies.
> So there may be fewer problematic cases arising with such set up since
> they tends to pull in required version packages.
> But giving blanket guarantee without fair warning is irresponsible.

Fair Warning: Mixed systems are "unsupported". In theory, this means that
you won't be able to use the Debian support infrastructure to deal with issues
that may arise during your use of a mixed system. In practice, you have the
same resources available as everyone else running Debian: a bunsh of
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
Old 01-30-2010, 04:04 PM
Osamu Aoki
Default Installation of packages from backports, unstable and stable.


On Fri, Jan 29, 2010 at 10:48:13AM -0600, Boyd Stephen Smith Jr. wrote:
> On Friday 29 January 2010 08:11:06 Osamu Aoki wrote:
> > Please run packages under pure unstable system if possible to report
> > bugs.
> That's *NOT* Debian policy.

I said "if possible".

> DDs are responsible for *all* their official
> package versions, not just unstable.

DDs fixes package issues only on:
* pure oldstable system (security bugs)
* pure stable system (security bugs and safe fixes)
* pure testing system (All bugs normally via unstable upload)
* pure unstable system (All bugs)

(Please note pure means not mixing stable/testing/unstable)

Once you create mixed system, you are basically on your own. (This does
not conflict with the fact that I tried to make my packages to be
backportable as much as possible. This is my optional action.)

> > (Please do not feel bad. You are not alone making this
> > misunderstanding.)
> Please provide a Debian policy document reference that says DDs get to ignore
> testing and stable.

I am not saying "DDs get to ignore testing and stable". I am only
saying "DD does not gurantee mixed stable/testing/unstable system".

We make releases with reason. We do not test nor gurantee mixed system.


PS: "policy" may not cover obvious... I do not feel I had to take
burden of proof here.

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Old 01-30-2010, 09:30 PM
Default Installation of packages from backports, unstable and stable.

On Wed, Jan 27, 2010 at 10:06:39PM +0530, vishnu vardhan wrote:
> After installing Openoffice, I commented out lines of backports.
> When I have installed transmission, I did not commented out lines of
> backports.
> Normally, I install the packages with the following command :
> aptitude install "package".

Whatever you implemented, don't let this mamor upgrade confuse you into
checking your apt configs. Stable is generally very quiet, comparatively:

|Date: Sat, 30 Jan 2010 15:56:47 +0100
|From: Joey Schulze <joey@infodrom.org>
|To: Debian Announcements <debian-announce@lists.debian.org>
|Subject: Debian GNU/Linux 5.0 updated
|The Debian Project http://www.debian.org/
|Debian GNU/Linux 5.0 updated press@debian.org
|January 30th, 2010 http://www.debian.org/News/2010/20100130
|Debian GNU/Linux 5.0 updated
|The Debian project is pleased to announce the fourth update of its stable
|distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly
|adds corrections for security problems to the stable release, along with
|a few adjustments for serious problems.
|Please note that this update does not constitute a new version of Debian
|GNU/Linux 5.0 but only updates some of the packages included. There is
|no need to throw away 5.0 CDs or DVDs but only to update via an up-to-
|date Debian mirror after an installation, to cause any out of date
|packages to be updated.
|Those who frequently install updates from security.debian.org won't have
|to update many packages and most updates from security.debian.org are
|included in this update.
|New CD and DVD images containing updated packages and the regular
|installation media accompanied with the package archive respectively will
|be available soon at the regular locations.
|Upgrading to this revision online is usually done by pointing the
|aptitude (or apt) package tool (see the sources.list(5) manual page) to
|one of Debian's many FTP or HTTP mirrors. A comprehensive list of
|mirrors is available at:
| <http://www.debian.org/distrib/ftplist>
|Miscellaneous Bugfixes
|This stable update adds a few important corrections to the following packages:
| Package Reason
| alien-arena Fix remote arbitrary code execution
| amarok Apply regex update to make Wikipedia tab work again
| apache2 Several issues
| backup-manager Fix possible mysql password leakage to local users
| backuppc Prohibit editing of client name alias to avoid unauthorised file access
| base-files Update /etc/debian_version to reflect the point release
| choose-mirror Improve suite selection and validation of suites available on selected mirror
| clock-setup Correctly handle system dates before epoch
| consolekit Don't create pam-foreground-compat tag files for remote users
| debmirror Compress packages files using --rsyncable so they match the files from the archive
| devscripts Update a number of scripts to understand squeeze and lenny-backports
| dhcp3 Fix memory leak and SIGPIPE in LDAP code
| dpkg Various fixes to new source package format support
| drupal6 Fix XSS issues in Contact and Menu moduels
| fam Fix 100% CPU usage in famd
| fetchmail Fix init script dependencies; don't complain about missing configuration when disabled
| firebird2.0 Fix DOS via malformed message
| gchempaint Fix segmentation fault
| gdebi Fix gksu call to not pass an option that the Debian package doesn't support
| geneweb Correctly handle database with names containing whitespace in the postinst
| ghc6 Fix deadlock bug on 64-bit architectures
| glib2.0 Fix g_file_copy to correctly set permissions of target files
| glibc Fix bug in realloc() when enlarging a memory allocation
| gnash Reduce messages produced by the browser plugin to avoid filling .xsession-errors
| gnome-system-tools Don't change root's home directory when editing the user and fix group creation dialog
| haproxy Several stability and crash fixes
| kazehakase Disallow adding bookmarks for data:/javascript: URIs (CVE-2007-1084)
| killer Correctly handle long usernames in the ruser field
| libcgi-pm-perl Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape()
| libdbd-mysql-perl Fix segmentation faults caused by auto_reconnect
| libdbd-pg-perl Correctly handle high-bit characters
| libfinance-quote-perl Fix ordering of fields in Yahoo data
| linux-2.6 Several corrections
| linux-kernel-di-alpha-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-arm-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-hppa-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.26-21
| linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.26-21
| lkl Rebuild to get new MD5 sum (previous sum was causing FPs from antivirus)
| movabletype-opensource Disable mt-wizard.cgi by default
| munin Fix CPU usage graphs to account for changes in kernel reporting
| mysql-dfsg-5.0 Revert "dummy thread" workaround which causes segfaults and fix crash when using GIS functions
| nss-ldapd Treat usernames and other lookups as case-sensitive
| openttd Fix remote crash vulnerability
| otrs2 Don't globally limit MaxRequestsPerChild on Apache or reject valid domains
| partman-auto-crypto Avoid triggering unsafe swap warning when setting up LVM
| planet-venus Enhance escaping of processed feeds
| proftpd-dfsg SSL certificate verification weakness
| pyenchant Make add_to_personal() work again
| python-docutils Fix insecure temporary file usage in reStructuredText Emacs mode
| python-xml Fix two denials of service
| qcontrol Create persistent input device to handle changes in udev 0.125-7+lenny3
| redhat-cluster Fix problem with resource failover
| request-tracker3.6 Session hijack vulnerability
| roundup Fix pagination regression caused by security fix
| samba Fix regression in name mangling
| serveez Fix remote buffer overflow
| shadow Fix handling of long lines in the user or group files
| spamassassin Don't consider dates in 2010 "grossly in the future"
| system-tools-backends Fix regression in operation of some elements
| texlive-bin Fix crash with large files
| tor Fix crash due to race condition and update authority keys
| totem Update youtube plugin to match changes to the site
| tzdata Update timezone data
| usbutils Update USB IDs
| user-mode-linux Rebuild against linux-source-2.6.26 2.6.26-21
| vpb-driver Fix Asterisk crash with missing config file
| watchdog Ensure daemon really has ended before starting a new one
| webauth Avoid inadvertently including passwords in cookie test URLs
| wireshark Several vulnerabilities
| xfs Fix temporary directory usage in the init script
| xscreensaver Fix local screen lock bypass vulnerability
|A number of packages were rebuilt on the alpha, amd64 and ia64
|architectures to incorporate the fix from the updated ghc6 package:
| alex arch2darcs
| bnfc c2hs
| dfsbuild drift
| cpphs darcs
| darcs-buildpackage darcs-monitor
| datapacker frown
| geordi haddock
| happy haskell-utils
| hat helium
| hmake hpodder
| hscolour lhs2tex
| kaya pxsl-tools
| srcinst uuagc
| whitespace xmonad
|Debian Installer
|The Debian Installer has been updated in this point release to offer
|better support for installation of the "oldstable" distribution and from
|archive.debian.org. The new installer also allows the system date to be
|updated using NTP if it is before January 1st, 1970 at boot time.
|The kernel image used by the installer has been updated to incorporate a
|number of important and security-related fixes together with support for
|additional hardware.
|An update to the udev package in the previous point release
|unfortunately led to the LEDs and on-board buzzer of arm/armel-based
|QNAP NAS devices not operating during installs. This is rectified in
|the new installer release.
|Finally, it is once again possible to use the installer on the S/390
|architecture by booting from CD.
|Security Updates
|This revision adds the following security updates to the stable release.
|The Security Team has already released an advisory for each of these updates:
| Advisory ID Package Correction(s)
| DSA 1796 libwmf Denial of service
| DSA 1825 nagios3 Arbitrary code execution
| DSA 1835 tiff Several vulnerabilities
| DSA 1836 fckeditor Arbitrary code execution
| DSA 1837 dbus Denial of service
| DSA 1839 gst-plugins-good0.10 Arbitrary code execution
| DSA 1849 xml-security-c Signature forgery
| DSA 1850 libmodplug Arbitrary code execution
| DSA 1860 ruby1.9 Several issues
| DSA 1863 zope2.10 Arbitrary code execution
| DSA 1866 kdegraphics Several vulnerabilities
| DSA 1868 kde4libs Several vulnerabilities
| DSA 1878 devscripts Remote code execution
| DSA 1879 silc-client Arbitrary code execution
| DSA 1879 silc-toolkit Arbitrary code execution
| DSA 1880 openoffice.org Arbitrary code execution
| DSA 1882 xapian-omega Cross-site scripting
| DSA 1884 nginx Arbitrary code execution
| DSA 1885 xulrunner Several vulnerabilities
| DSA 1886 iceweasel Several vulnerabilities
| DSA 1887 rails Cross-site scripting
| DSA 1888 openssl Deprecate MD2 hash signatures
| DSA 1889 icu Security bypass due to multibyte sequence parsing
| DSA 1890 wxwidgets2.6 Arbitrary code execution
| DSA 1890 wxwidgets2.8 Arbitrary code execution
| DSA 1891 changetrack Arbitrary code execution
| DSA 1892 dovecot Arbitrary code execution
| DSA 1893 cyrus-imapd-2.2 Arbitrary code execution
| DSA 1893 kolab-cyrus-imapd Arbitrary code execution
| DSA 1894 newt Arbitrary code execution
| DSA 1895 opensaml2 Interpretation conflict
| DSA 1895 shibboleth-sp2 Interpretation conflict
| DSA 1895 xmltooling Potential code execution
| DSA 1896 opensaml Potential code execution
| DSA 1896 shibboleth-sp Potential code execution
| DSA 1897 horde3 Arbitrary code execution
| DSA 1898 openswan Denial of service
| DSA 1899 strongswan Denial of service
| DSA 1900 postgresql-8.3 Various problems
| DSA 1903 graphicsmagick Several vulnerabilities
| DSA 1904 wget SSL certificate verification weakness
| DSA 1905 python-django Denial of service
| DSA 1907 kvm Several vulnerabilities
| DSA 1908 samba Several vulnerabilities
| DSA 1909 postgresql-ocaml Missing escape function
| DSA 1910 mysql-ocaml Missing escape function
| DSA 1911 pygresql Missing escape function
| DSA 1912 advi Arbitrary code execution
| DSA 1912 camlimages Arbitrary code execution
| DSA 1913 bugzilla SQL injection
| DSA 1914 mapserver Serveral vulnerabilities
| DSA 1915 linux-2.6 Several vulnerabilities
| DSA 1915 user-mode-linux Several vulnerabilities
| DSA 1916 kdelibs SSL certificate verification weakness
| DSA 1917 mimetex Several vulnerabilities
| DSA 1918 phpmyadmin Several vulnerabilities
| DSA 1919 smarty Several vulnerabilities
| DSA 1920 nginx Denial of service
| DSA 1921 expat Denial of service
| DSA 1922 xulrunner Several vulnerabilities
| DSA 1923 libhtml-parser-perl Denial of service
| DSA 1924 mahara Several vulnerabilities
| DSA 1925 proftpd-dfsg SSL certificate verification weakness
| DSA 1926 typo3-src Several vulnerabilities
| DSA 1930 drupal6 Several vulnerabilities
| DSA 1931 nspr Several vulnerabilities
| DSA 1932 pidgin Arbitrary code execution
| DSA 1933 cups Cross-site scripting
| DSA 1934 apache2 Several issues
| DSA 1934 apache2-mpm-itk Several issues
| DSA 1935 gnutls26 SSL certificate NUL byte vulnerability
| DSA 1936 libgd2 Several vulnerabilities
| DSA 1937 gforge Cross-site scripting
| DSA 1938 php-mail Insufficient input sanitising
| DSA 1939 libvorbis Several vulnerabilities
| DSA 1940 php5 Multiple issues
| DSA 1941 poppler Several vulnerabilities
| DSA 1942 wireshark Several vulnerabilities
| DSA 1944 request-tracker3.6 Session hijack vulnerability
| DSA 1945 gforge Denial of service
| DSA 1947 opensaml2 Cross-site scripting
| DSA 1947 shibboleth-sp Cross-site scripting
| DSA 1947 shibboleth-sp2 Cross-site scripting
| DSA 1948 ntp Denial of service
| DSA 1949 php-net-ping Arbitrary code execution
| DSA 1950 webkit Several vulnerabilities
| DSA 1951 firefox-sage Insufficient input sanitizing
| DSA 1952 asterisk Several vulnerabilities
| DSA 1953 expat Denial of service
| DSA 1954 cacti Insufficient input sanitising
| DSA 1956 xulrunner Several vulnerabilities
| DSA 1957 aria2 Arbitrary code execution
| DSA 1958 libtool Privilege escalation
| DSA 1959 ganeti Arbitrary command execution
| DSA 1960 acpid Weak file permissions
| DSA 1961 bind9 Cache poisoning
| DSA 1962 kvm Several vulnerabilities
| DSA 1963 unbound DNSSEC validation
| DSA 1964 postgresql-8.3 Several vulnerabilities
| DSA 1965 phpldapadmin Remote file inclusion
| DSA 1966 horde3 Cross-site scripting
| DSA 1967 transmission Directory traversal
| DSA 1968 pdns-recursor Potential code execution
| DSA 1969 krb5 Denial of service
| DSA 1970 openssl Denial of service
| DSA 1971 libthai Arbitrary code execution
| DSA 1972 audiofile Buffer overflow
| DSA 1974 gzip Arbitrary code execution
| DSA 1976 dokuwiki Several vulnerabilities
| DSA 1978 phpgroupware Several vulnerabilities
| DSA 1979 lintian Multiple vulnerabilities
| DSA 1980 ircd-hybrid Arbitrary code execution
|Removed packages
|The following packages were removed due to circumstances beyond our
| Package Reason
| destar Security issues; unmaintained; abandoned upstream
| electricsheep No longer functional
| gnudip Security issues; unmaintained; abandoned upstream
| kcheckgmail No longer functional
| libgnucrypto-java Security issues; obsolete
|Additionally those parts of the libwww-search-perl and
|libperl4caml-ocaml-dev packages which rely on the Google SOAP search
|API (provided by libnet-google-perl) are no longer functional as the
|API has been retired by Google. The remaining portions of the
|packages will continue to function as before.

. . .

Kind Regards,

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Thread Tools

All times are GMT. The time now is 10:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org