Getting Debian Security Updates

Posted by Steve on Tue 13 Sep 2005 at 17:41

If you're new to Debian you might be confused about how to get access to the Debian security updates. This short introduction tells you all you need to know.

To start with it helps if you are familiar with the way that Debian is released. Currently there are three flavours, or "branches" of Debian available:

  • Stable - Sarge (Debian 3.1)
    • This is the current stable release.
  • Unstable - Sid
    • This is the staging area in Debian where new work is conducted.
  • Testing
    • After packages have been contained in "Unstable" for a short while they are moved into the the "Testing" release. Testing will ultimately be released as the next stable Debian, Etch.

As you can see there are three major flavours here. The simplest way to follow these names is to understand how they are used. The "order" of the releases is something like this:

  1. Unstable
  2. Testing
  3. Stable

Packages are uploaded to the unstable distribution, sid, and anybody running that distribution can get them almost immediately afterwards.

After a short wait if all the package dependencies are available, then the package is moved into testing. This can take 3, 5, or 10 days. But it is worth noting that this migration only occurs if all the dependencies of the relevant package are also available for testing.

At some point in the future the entire state of the Testing distribution will be frozen - and that will be released as the next Stable release. We don't know what the version number will be, but the next Stable release will be called "Etch".

Now that we've briefly explained the different distributions of Debian we can look at the security support.

If you're running Unstable there are no security updates available. Hopefully problems will be resolved by new uploads as soon as they are available - however even this is not gaurenteed.

The other two distributions, Stable and Testing, both have security support in place.

To gain access to the security updates you can use the standard Debian tools, apt-get, aptitude, or synaptic. To do this you just need to make sure your apt setup is correct.

apt will download and read from a list of "sources" to see which packages are available, and see their version numbers (which it must do to see if there are newer packages available than those present upon your current system).

The sources are configured by the file /etc/apt/sources.list, once configured correctly you can update your system by running:

apt-get update
apt-get upgrade

(You can also use "aptitude update; aptitude upgrade" instead if you prefer - or synaptic.)

Stable Security Sources

If you are running the Debian Stable release, codenamed Sarge, then you should have the following listed in your sources.list file:

#
#  Debian Security Updates
#
deb     http://security.debian.org/ sarge/updates main contrib non-free
deb-src http://security.debian.org/  sarge/updates main contrib non-free

For more details on Debian Stable's security handling please see the following URL:

If you wish to keep advised of security updates as they are released you can subscribe to the debian-security-announce mailing list - this receives a single message for each released advisory.

Testing Security Sources

If you are running the Debian Testing release, which will eventually be released as the next stable release, Etch, then you should have the following listed in your sources.list file:

deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free

The security support for Testing is relatively new, and was announced on the 9th of September 2005.

For more details on the testing security support please see the following URL:

 

 


Posted by lindenle (70.225.xx.xx) on Tue 13 Sep 2005 at 18:28
[ View Weblogs ]
Hi I have a question that is related to this subject. Say I have a server which I log into maybe once every six months (or less) but I want it to update security patches by itself in between my checking. Could I comment out everything but the debian-security line in /etc/apt/sources.list and then use the cron-apt package to automatically update and upgrade just from debian security. I guess my main question is does the security repository stand alone or does it have dependencies in the normal stable repository. Thanks for any advice/criticism concerning this idea.

Alex

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Tue 13 Sep 2005 at 18:41
[ View Steve's Scratchpad | View Weblogs ]

The intention is that the security repository is distinct from all others, and security updates will not contain new dependencies, or behave differently than the previous package did.

However it might be possible that this does not hold for "big" upgrades - such as Mozilla/Firefox (to pick a random example) - which can't be realistically handled by the team.

I think it is worth minimizing the software on any host you cannot devote personal and ongoing attention to .. if you can do that then cron-apt, or similar, might be able to do a good job for you.

Steve
--

[ Parent | Reply to this comment ]

Posted by Anonymous (130.88.xx.xx) on Fri 12 May 2006 at 02:03
i can't see why mozilla would be a problem for the security team. The security team don't tend to go uploading new upstream versions anyway. They just patch the hole rebuild and upload.

and apt should just fail if there is a new dependency introduced that it can't satisfy it shouldn't break anything.

[ Parent | Reply to this comment ]

Posted by deego (63.126.xx.xx) on Tue 13 Sep 2005 at 20:20
Nice article. Thanks, Steve. Didn't know about etch security support.


If I try apt-show-versions | grep -v stable, I see a lot of matches like these. It is clear that each such case must be examined carefully, but I am very unsure what to do, a blind purging would probably get me into trouble. I almost wonder this could be the subwect of an article. Here are just a few examples that illustrate tnhe diversity:
----
liblinc1 2:1.0.3-4 newer than version in archive
liblinc1:
Installed: 2:1.0.3-4
Candidate: 2:1.0.3-4
Version Table:
*** 2:1.0.3-4 0
100 /var/lib/dpkg/status
0.1.21-1 0
500 http://mirrors.kernel.org woody/main Packages
----
libgnutls10 1.0.4-8 installed: No available version in archive
----
kernel-headers-2.6.8-1-686 2.6.8-10 installed: No available version in archive
^^ very strange
----
libboost-python1.31.0 1.31.0-9 installed: No available version in archive
----
libparted1.6-0 1.6.11-8 installed: No available version in archive
----
kernel-headers-2.6.8-1 2.6.8-10 installed: No available version in archive
----
libgcrypt7 1.1.90-9 installed: No available version in archive
----
kernel-image-2.6.8-1-686 2.6.8-10 installed: No available version in archive
^^ this one is the anly one I understand, this must be one I compiled rom hand, and still keep around. (though hawe now switched back to a stock kernel)
----




[ Parent | Reply to this comment ]

Posted by deego (63.126.xx.xx) on Tue 13 Sep 2005 at 20:22
(Please pardon all the typos above, it is taking me long to get used to dvorak.)

[ Parent | Reply to this comment ]

Posted by gonad (219.89.xx.xx) on Wed 14 Sep 2005 at 07:10
Sorry, this is OT. How is your transition to Devorak going? I'm suffering some fairly bad wrist pain in my right hand and am getting to the point where I'll try anything... would you recommend it? Why did you make the change?

[ Parent | Reply to this comment ]

Posted by Anonymous (24.197.xx.xx) on Wed 14 Sep 2005 at 16:12

Actually, I am planning to go back, personally. Dvorak's 10-f typing is really, really good and beats qwerty dands down, imo. So, for a 10-f touchtyping guy, I still recommend that they try out dvorak.

But I prefer 8-finger typing (no pinkies, i think 8-f typing keeps my RSI in check -- this is the style you develop when you naturally let your typing evolve without learning to 10f touchtype (I actually had to make myself forget 10-f-tt) and am real good at it.




It seems to me that when it comes to 8-f typing, there is no difference. Perhaps, qwerty is better. In dvorak, all the important keys are too closely spaced for my 8-f typing to be as good as it was on qwerty. And I keep hitting the wrong vowels. I did learn 10-f tt on dvorak too, but switched back to 8f.

Of course, add to that the inconvenience of the weird placement of all control keys. Try typing emacs' C-x C-s on emacs, for example, and you will see what I mean.

Finally, I don't have to (too much), but if you ever had to work offsite, imagine the (minor) pain of switching back and forth.

I cleared LPI linux certification, and was planning to try out the advanced one next. There, I will have to use qwerty during the exam.

Don't let the last 2 points discourage you too much though. -- somehow, one retains a pretty good memory of qwerty.


All said, I plan to stick with dvorak at least till the end of the year, just to make sure I gave it a fair try, and only then switch back, if at all. May be I will actually think dvorak is better for me by the end of the year. It has been about a month now. I have been thinking of dvorak for 4--5 years, and only now did I jump in all the way. I should definitely give it a "full" try. -- deego (sorry, forgot to log in before typing this all up)



[ Parent | Reply to this comment ]

Posted by deego (24.197.xx.xx) on Tue 7 Oct 2008 at 21:04
Update: After I gave it that full try mentioned above, I never went back to qwerty. I am now a happy dvorak user for 3 years. The bottom of this page documents my dvorak experience: http://www.gnufans.net/~deego/DeegoWiki/DvorakLinks.html -- deego (2008.)

[ Parent | Reply to this comment ]

Posted by deego (12.166.xx.xx) on Wed 14 Sep 2005 at 18:18
Re: pain, I like using workrave (apt-get install)

[ Parent | Reply to this comment ]

Posted by gonad (219.89.xx.xx) on Fri 16 Sep 2005 at 11:27
Yeah, work rave is great (stumbled across it not too long ago), it's amazing how many keystrokes are actually made!

I wish I didn't have a job that was semi phone support. Getting workraved (locked out) during a phone call could be a pain in the butt ;)

[ Parent | Reply to this comment ]

Posted by deego (24.197.xx.xx) on Fri 16 Sep 2005 at 13:56
give it a "fuller" try. :)

[1]it tries to g ointo rest mode only when and if you have stopped typing..

[2] even if it goes into rest-mode you can skip or postpone any rest period, and have the control of your screen right back..

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 14 Sep 2005 at 12:05
[ View Steve's Scratchpad | View Weblogs ]

To be honest I'd just try removing them and seeing what broke ;)

The packages you have listed, apart from the kernel-headers, appear to be just libraries. I'd expect they could be removed if you have nothing depending upon them. If that is the case then using deborphan, or similiar, should help you out a lot.

Although I guess it depends how you ended up in this situation?

(And given the mention of Woody - do you intend to upgrade to Sarge soon? If so that might take care of all your problems for you!)

Steve
--

[ Parent | Reply to this comment ]

Posted by deego (24.197.xx.xx) on Wed 14 Sep 2005 at 16:18
Steve, thanks for the roply.

I am all the way 100% at sarge. woody just appears in my sources.list, that's why you saw it in the apt-cache policy output. It is probably pinned at -20 too.

Try out

apt-show-versions | grep -v stable

apt-show-versions | grep -v unstable

as the case may be, and I bet you will see 10-20 listings too.

I'd bet we are all in this same situation. I have done nothing out of the ordinary. Plain woody install earlier--> sarge upgrade later. That is it. Almost no 3rd party pkges.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.227.xx.xx) on Tue 13 Sep 2005 at 21:33
About security updates and cron.. is there a way, by using apt-preferences and releases, to update and upgrade ONLY security things? And that this shoul be done non interactively (like someone else said, for machines being upgraded only once upon a time°

TIA

Laurent

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Wed 14 Sep 2005 at 01:12
[ View Weblogs ]
Sarge (current stable) should only change for security reasons, that is the key point of being "stable".

My Sarge servers have two entries in sources.list, one for "sarge" (by name ("sarge") not by the alias "stable", and one for security.

I think recent changes to the 2.6 kernel would pull in new packages on many machines, so I think removing the "sarge" repository on the grounds it "might change" would be a foolish step.

The servers we have should change only occaisonally, but I still prefer to use cron-apt to email me (the default). This morning for example I was presented with a squid upgrade, and the only server running Squid (and Debian) front ends 30,000+ websites as an accelerator. I was reasonably confident having read the description of the changes, but I still made sure to install and run it on another box, just to gain that little bit of confidence when changing such a core component of our business.

Guess if you have a LOT of Debian boxes you probably want to automate the updates, but then you probably can justify the effort of mantaining your own mirror, and doing further testing before distributing updates.

[ Parent | Reply to this comment ]

Posted by plovs_ (195.13.xx.xx) on Thu 29 Sep 2005 at 11:19
From the README of the (very usefull) cron-apt package

Alternate sources.list file
---------------------------

If you just want to update security related things you can always use an
alternate sources.list files by giving this extra information to the OPTIONS
variable in the configuration file.

OPTIONS="-q -o Dir::Etc::SourceList=/etc/apt/security.sources.list"

[ Parent | Reply to this comment ]

Posted by Anonymous (217.197.xx.xx) on Tue 13 Sep 2005 at 22:38

Isn't oldstable, a.k.a. woody still officially supported, just like stable?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 14 Sep 2005 at 06:51
[ View Steve's Scratchpad | View Weblogs ]

Yes, but I figured most people would have upgraded - so I didn't mention it...

Steve
--

[ Parent | Reply to this comment ]

Posted by ido50 (85.64.xx.xx) on Wed 14 Sep 2005 at 15:31
[ View Weblogs ]
I'm confused. I'm running Etch. Should I add the new testing security-updates repository to the source list alongside the stable repositry, or replace them?

In other words, should I still have the stable security-update repository on my source list?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 14 Sep 2005 at 15:38
[ View Steve's Scratchpad | View Weblogs ]

You are not running Etch. Instead you're running what will become Etch when it is released. Right now it is just "testing".

If you're running testing then having the stable security updates is pointless, as your versions are already newer than the packages installed in stable.

You only need the testing-security lines listed, so you can remove/replace the stable line(s).

Steve
--

[ Parent | Reply to this comment ]

Posted by ido50 (85.64.xx.xx) on Wed 14 Sep 2005 at 15:51
[ View Weblogs ]
OK thanks. Anyway, testing is currently codenamed etch (Also by the Debian project itself, as can be seen on Debian's website), so I think it's OK to use the terms interchangeably, so long as etch has not yet been released... Am I wrong?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 14 Sep 2005 at 15:59
[ View Steve's Scratchpad | View Weblogs ]

It might be called Etch but that is with the understanding that testing will be frozen at some future point, and that frozen collection of packages will be the next stable release, called Etch.

It's probably not a big deal right now, but when Etch does get released anybody who continues to stick with testing will be confused when the name suddenly changes; it will also make diagnosing exactly which packages they have more difficult.

I should probably be less pedantic, sorry!

Steve
--

[ Parent | Reply to this comment ]

Posted by Anonymous (213.128.xx.xx) on Wed 31 May 2006 at 22:57
Interesting article, but I got problems with the described configuration.

while doing an aptitude update it spits out:

W: GPG error: http://secure-testing.debian.net etch/security-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 946AA6E18722E71E
W: You may want to run apt-get update to correct these problems

Of course, running apt-get does not correct anything.

So it seems like there is no public key for this repository, I don´t understand that too much, I just wanted to ask, how to solve this?

Thanks!

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Thu 1 Jun 2006 at 09:24
[ View Steve's Scratchpad | View Weblogs ]

You need to import the GPG key for apt to do checking with. See the following article for details:

Steve

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 57 votes ~ 0 comments )