testing security updates

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

testing security updates

mick crane
hello,
Debian web page about testing is saying that testing gets infrequent
security updates and that you can get more frequent security updates
from unstable.
Is that what people do ?
have buster for main and bullseye for security updates in sources.list ?

mick

--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Greg Wooledge
On Thu, Oct 03, 2019 at 08:35:32PM +0100, mick crane wrote:
> Debian web page about testing is saying that testing gets infrequent
> security updates

It's more accurate to say that testing does not get ANY security updates.
Not in any realistic sense.  Packages migrate from unstable into testing,
and if one of those packages happens to fix a security bug, it's a happy
accident.

The only thing that even comes *close* to "security updates in testing"
is the fact that unstable packages that are marked as high priority have
a shorter delay before being automatically copied into testing.

Several years ago, there was an attempt to set up a "security for testing"
repository, but that died out and hasn't been used in years.

> and that you can get more frequent security updates from
> unstable.

Which means some people choose to run unstable rather than choosing
to run testing.  It's their choice.

> Is that what people do ?
> have buster for main and bullseye for security updates in sources.list ?

YOU DO NOT MIX STABLE WITH TESTING.

YOU DO NOT MIX STABLE WITH UNSTABLE.

YOU DO NOT MIX TESTING WITH UNSTABLE.

If you use one of these, you use that one only.  No mixing.
No Frankendebians.

https://wiki.debian.org/DontBreakDebian

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

mick crane
On 2019-10-03 20:40, Greg Wooledge wrote:

> YOU DO NOT MIX STABLE WITH TESTING.
>
> YOU DO NOT MIX STABLE WITH UNSTABLE.
>
> YOU DO NOT MIX TESTING WITH UNSTABLE.
>
> If you use one of these, you use that one only.  No mixing.
> No Frankendebians.
>
> https://wiki.debian.org/DontBreakDebian

yes sorry, I realized I made an error and should have typed
bullseye for main and unstable for security updates just after pressing
send.
but you say not to do that ?

mick

--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Greg Wooledge
On Thu, Oct 03, 2019 at 08:54:37PM +0100, mick crane wrote:
> yes sorry, I realized I made an error and should have typed
> bullseye for main and unstable for security updates just after pressing
> send.
> but you say not to do that ?

Correct.  If you want to run unstable, just run unstable.

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Joe Rowan
In reply to this post by Greg Wooledge
On Thu, 3 Oct 2019 15:40:53 -0400
Greg Wooledge <[hidden email]> wrote:

> On Thu, Oct 03, 2019 at 08:35:32PM +0100, mick crane wrote:
> > Debian web page about testing is saying that testing gets infrequent
> > security updates  
>
> It's more accurate to say that testing does not get ANY security
> updates. Not in any realistic sense.  Packages migrate from unstable
> into testing, and if one of those packages happens to fix a security
> bug, it's a happy accident.
>
> The only thing that even comes *close* to "security updates in
> testing" is the fact that unstable packages that are marked as high
> priority have a shorter delay before being automatically copied into
> testing.
>
> Several years ago, there was an attempt to set up a "security for
> testing" repository, but that died out and hasn't been used in years.
>
> > and that you can get more frequent security updates from
> > unstable.  
>
> Which means some people choose to run unstable rather than choosing
> to run testing.  It's their choice.
>
> > Is that what people do ?
> > have buster for main and bullseye for security updates in
> > sources.list ?  
>
> YOU DO NOT MIX STABLE WITH TESTING.
>
> YOU DO NOT MIX STABLE WITH UNSTABLE.
>
> YOU DO NOT MIX TESTING WITH UNSTABLE.
>
> If you use one of these, you use that one only.  No mixing.
> No Frankendebians.
>
> https://wiki.debian.org/DontBreakDebian
>

But the boot-up banner for unstable always contains the distribution
name "<current testing>/sid" and always includes testing in the
sources.list along with unstable. This is where stable is minimally
installed then immediately upgraded directly to unstable, which is how
I do it. I've never installed testing, or upgraded to it, or placed it
deliberately in sources.list.

--
Joe

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

tomas@tuxteam.de
In reply to this post by Greg Wooledge
On Thu, Oct 03, 2019 at 03:40:53PM -0400, Greg Wooledge wrote:

[...]

> YOU DO NOT MIX STABLE WITH TESTING.
>
> YOU DO NOT MIX STABLE WITH UNSTABLE.
>
> YOU DO NOT MIX TESTING WITH UNSTABLE.

Wow. I'd rather say: you do not "do not".

Know the downsides, know what can break, and then, when it's
appropriate, by all means, mix whatever you want to mix.

That said (and this comes as a small paradox), stable usually
mixes better with unstable than with testing.

I've been using a Frankendebian happily for ~3/4 year as my
main work machine. Be sure you know what you're into. Be
prepared to fiddle with apt.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Brad Rogers
In reply to this post by Greg Wooledge
On Thu, 3 Oct 2019 15:40:53 -0400
Greg Wooledge <[hidden email]> wrote:

Hello Greg,

>YOU DO NOT MIX STABLE WITH TESTING.
>
>YOU DO NOT MIX STABLE WITH UNSTABLE.
>
>YOU DO NOT MIX TESTING WITH UNSTABLE.

By and large, I agree.

I would add a few caveats, though.

If one uses sites such as spotify or amazon video, one has, on
occasion, to install a version of firefox(1) from unstable because those
two companies insist on supporting only a small number of versions of
the browser.  As such, after a while, the version of ff in testing
sometimes becomes 'too old', necessitating another update.  TBH, I'd
prefer not to do this, but my kids use both spotify & amazon video.  And
for a quiet(er) life.......

Also, currently, digikam is not in testing.  No big deal, I have it
installed and working.  *However* if I had just installed testing, I
would get digikam from stable, because I use it daily, and can't do
certain things without it.

Also, as Tomas says, if you know the pro's and con's, you can mix and
match.  Of course, if stuff breaks, then you get to keep the pieces.

(1)  I could use a version direct from mozilla, but I prefer to avoid
that.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Age of destruction, age of oblivion
Neuromancer - Billy Idol

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

tomas@tuxteam.de
On Fri, Oct 04, 2019 at 10:52:16AM +0100, Brad Rogers wrote:

> On Thu, 3 Oct 2019 15:40:53 -0400
> Greg Wooledge <[hidden email]> wrote:
>
> Hello Greg,
>
> >YOU DO NOT MIX STABLE WITH TESTING.
> >
> >YOU DO NOT MIX STABLE WITH UNSTABLE.
> >
> >YOU DO NOT MIX TESTING WITH UNSTABLE.
>
> By and large, I agree.
>
> I would add a few caveats, though.
Yeah, I "caved", too...

> If one uses sites such as spotify or amazon video [...]

...but why on earth would you want to do THAT? Eeeek... ;-)

Cheers (tongue-in-cheek, really)
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Brad Rogers
On Fri, 4 Oct 2019 12:14:00 +0200
<[hidden email]> wrote:

Hello [hidden email],

>...but why on earth would you want to do THAT? Eeeek... ;-)

*I* don't;  It's the kids.

Honest.

:-)

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Where will you be when the bodies burn?
The Gasman Cometh - Crass

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Thomas Schmitt
Hi,

Brad Rogers wrote:
> > > If one uses sites such as spotify or amazon video

[hidden email] wrote:
> >...but why on earth would you want to do THAT? Eeeek... ;-)

Brad Rogers wrote:
> *I* don't;  It's the kids.

I wonder whether there is a Debian Developer willing to create a package
which installs the Greta-at-UN video or sound track as start-up message of
such programs:

  "How Dare You !"


Have a nice day :)

Thomas

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Sven Hartge-5
In reply to this post by Greg Wooledge
Greg Wooledge <[hidden email]> wrote:

> YOU DO NOT MIX TESTING WITH UNSTABLE.

> If you use one of these, you use that one only.  No mixing.
> No Frankendebians.

But you *can* mix Unstable with Testing. (Not the order here.)

Normally no package from Testing will get pulled in, but sometimes this
is the only way to install some packages during transitions of not every
package in the chain has been rebuild (correctly).

Grüße,
Sven.

--
Sigmentation fault. Core dumped.

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Greg Wooledge
In reply to this post by Brad Rogers
On Fri, Oct 04, 2019 at 10:52:16AM +0100, Brad Rogers wrote:
> Also, currently, digikam is not in testing.  No big deal, I have it
> installed and working.  *However* if I had just installed testing, I
> would get digikam from stable, because I use it daily, and can't do
> certain things without it.

Yeah, I gave the (overly) simplified set of warnings.

You can't "run stable but cherry-pick from testing".  A lot of people
want to do that.  It cannot be done safely, at least not by someone who
isn't an expert.  (Use backports instead!)

But you *can* run testing and cherry-pick from stable (sometimes).  Or,
you can run stable and cherry-pick from oldstable (sometimes).  It
requires some knowledge and carries some risk.

It's mostly a matter of understanding that you are running the *newest*
of whichever set of branches you mix.  If you have some packages from
stable, and some packages from unstable, you are running unstable.  It
doesn't matter whether it's 99% stable, or 1% stable -- it's still
really unstable.  You need to see it that way, or you are screwed.

For *most* users, running stable, or running stable plus selected
backports, is the correct choice.

Reply | Threaded
Open this post in threaded view
|

Re: testing security updates

Brad Rogers
On Fri, 4 Oct 2019 08:45:27 -0400
Greg Wooledge <[hidden email]> wrote:

Hello Greg,

>Yeah, I gave the (overly) simplified set of warnings.

I'm sure we can all come up with so many different scenarios that this
could run and run if we let it.

Suffice to say, there are always exceptions that prove the rule.

Like I said (you already know this);  If you break your install, you get
to keep all the pieces.

Finally:  Mixing different variants (stable, testing, unstable, etc.) is
not something I undertake lightly.  So far, it's only firefox that's
from unstable.  The rest is testing - your comment "if it's 1% unstable,
it's still unstable" notwithstanding.  Apologies if I misquoted that.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
This is the fifty first state of the USA
Heartland - The The

attachment0 (499 bytes) Download Attachment