security updates for Debian:11
Look at the meta for the https://build.opensuse.org/project/show/Debian:11 project I notice that this uses the following 3 sources: <repository name="standard"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye/main" repotype="deb"> <repository name="update"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-updates/main" repotype="deb"> <repository name="backports"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-backports/main" repotype="deb"> I wonder if should also also include the debian security source? This will contain security fixes that are neither in update or standard (until the next point release of standard) deb http://deb.debian.org/debian-security/ bullseye-security main See: https://wiki.debian.org/SourcesList for full details of debian sources. Thanks, Nick
On Mittwoch, 3. Mai 2023, 15:15:57 CEST Nicholas Brown wrote:
Look at the meta for the https://build.opensuse.org/project/show/Debian:11 project I notice that this uses the following 3 sources:
<repository name="standard"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye/main" repotype="deb">
<repository name="update"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-updates/main" repotype="deb">
<repository name="backports"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-backports/main" repotype="deb">
I wonder if should also also include the debian security source? This will contain security fixes that are neither in update or standard (until the next point release of standard)
deb http://deb.debian.org/debian-security/ bullseye-security main
See: https://wiki.debian.org/SourcesList for full details of debian sources.
we can add it, not sure if it is important because security fixes are only in rare cases important at build time. What is the reason why Debian is not releasing these as normal updates for their users though? -- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev
Adrian Schröter wrote:
On Mittwoch, 3. Mai 2023, 15:15:57 CEST Nicholas Brown wrote:
Look at the meta for the https://build.opensuse.org/project/show/Debian:11 project I notice that this uses the following 3 sources: <repository name="standard"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye/main" repotype="deb"> <repository name="update"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-updates/main" repotype="deb"> <repository name="backports"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-backports/main" repotype="deb"> I wonder if should also also include the debian security source? This will contain security fixes that are neither in update or standard (until the next point release of standard) deb http://deb.debian.org/debian-security/ bullseye-security main See: https://wiki.debian.org/SourcesList for full details of debian sources. we can add it, not sure if it is important because security fixes are only in rare cases important at build time.
That would be brilliant, thanks! Agreed, that security fixes for package build dependencies are more rare, but can occasionally include some libraries. And for things like image and container builds the security updates can be important.
What is the reason why Debian is not releasing these as normal updates for their users though?
In short, they do, but it can take some weeks/months to migrate from the security source to the updates for a point release. I think that these probably explain it best: https://wiki.debian.org/SourcesList - StableUpdates: official Debian repository for changes that cannot wait for the next point release, packages are also added to StableProposedUpdates for inclusion in the next point release - DebianSecurity: official Debian repository for frequent security updates https://www.debian.org/security/faq#proposed-updates A: This directory contains packages which are proposed to enter the next revision of Debian stable. Whenever packages are uploaded by a maintainer for the stable distribution, they end up in the proposed-updates directory. Since stable is meant to be stable, no automatic updates are made. The security team will upload fixed packages mentioned in their advisories to stable, however they will be placed in proposed-updates first. Every couple of months the Stable Release Manager checks the list of packages in proposed-updates and discusses whether a package is suited for stable or not. This is compiled into another revision of stable (e.g. 2.2r3 or 2.2r4). Packages that don't fit will probably be rejected and dropped from proposed-updates as well. Thanks, Nick
participants (2)
-
Adrian Schröter -
Nicholas Brown