Hi,
Are Debian packages updated within a release?
After running: "# apt update"
# apt list -a linux-image-amd64
Listing... Done
linux-image-amd64/stable-backports 6.11.10-1~bpo12+1 amd64 linux-image-amd64/stable-updates 6.1.124-1 amd64 [upgradable from:
6.1.106-3]
linux-image-amd64/stable 6.1.123-1 amd64
linux-image-amd64/stable-security 6.1.119-1 amd64
linux-image-amd64/now 6.1.106-3 amd64 [installed,upgradable to:
6.1.124-1]
# apt list -a nvidia-driver
Listing... Done
nvidia-driver/stable 535.216.01-1~deb12u1 amd64 nvidia-driver/stable-backports 535.183.06-1~bpo12+1 amd64 nvidia-driver/stable-updates 525.147.05-7~deb12u1 amd64
# apt list -a chromium
Listing... Done
chromium/stable-security 132.0.6834.83-1~deb12u1 amd64
chromium/stable 131.0.6778.139-1~deb12u1 amd64
# apt list -a firefox-esr
Listing... Done
firefox-esr/stable-security 128.6.0esr-1~deb12u1 amd64 [upgradable
from: 115.15.0esr-1~deb12u1]
firefox-esr/stable 128.5.0esr-1~deb12u1 amd64
firefox-esr/now 115.15.0esr-1~deb12u1 amd64 [installed,upgradable to: 128.6.0esr-1~deb12u1]
# apt list -a rsync
Listing... Done
rsync/stable-security 3.2.7-1+deb12u2 amd64
rsync/stable 3.2.7-1 amd64
George.
Sent: Friday, January 17, 2025 at 8:30 PM
From: "Max Nikulin" <manikulin@gmail.com>
To: debian-user@lists.debian.org
Subject: Re: Are Debian packages updated within a release?
On 18/01/2025 07:34, George at Clug wrote:
Would I be correct in assuming this is because the version of Chromium
(as in its features) are being updated within Debian 12
Major browsers are an exception. Security fixes are frequent and
massive. The upstream teams do not maintain stable versions with support period comparable to Debian stable. It would be too much burden for
Debian maintainers to track and backport security fixes.
That is why latest Chromium release is available in bookworm. Firefox
and Thunderbird packages follow ESR version, so 102 to 115 to 128
updates with point releases approximately every month.
In Ubuntu it was one of the reasons why they seized building .deb
packages for browsers and switched to snap. Latest releases may rely on features unavailable in development tools from LTS distributions. A
complete container independent of the system alleviates some issues.
I like that Debian developers and maintainers are still able to build
.deb packages for browsers.
In the case of rsync Debian backported a fix. Therefor it gets the old version number with a suffix to indicate that Debian patched it. In the
case of chromium upstream patched it and released the patched version
with a new version number.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA
I rarely use backports, but when I do, I like the "adjusted and
recompiled for usage on Debian stable" part, much better that grabbing packages from other distributions and just installing them, hoping
there will not be issues. Though I had not realised that at times, a
package would be moved/copied from backports into security, I would
not have expected that action, but it does make sense when you
explained it.
That is why the rolling release method is superior to the old model
used by others.
That is why the rolling release method is superior to the old model used by others.
Most rolling release distributions do the same and you get the latest updates, features and fixes
Sent: Friday, January 17, 2025 at 9:10 PM
From: "Roberto C. Sánchez" <roberto@debian.org>
To: debian-user@lists.debian.org
Subject: Re: Are Debian packages updated within a release?
On Sat, Jan 18, 2025 at 02:36:34AM +0100, pocket@homemail.com wrote:
That is why the rolling release method is superior to the old model used by others.
s/superior/different/
Most rolling release distributions do the same and you get the latest updates, features and fixes
We know. Now please stop.
If you really care about a rolling release and that is the only thing
you are interested in discussing, then debian-user is clearly not the
right place to be. You can easily find a place that has the type of discussion that you are looking for, and the rest of us would thank you kindly for availing yourself of one or more of those options.
Sent: Friday, January 17, 2025 at 9:10 PM
From: "Stefan Monnier" <monnier@iro.umontreal.ca>
To: debian-user@lists.debian.org
Subject: Re: Are Debian packages updated within a release?
That is why the rolling release method is superior to the old model
used by others.
Yes, and for the same reason non-rolling release distributions of
GNU/Linux don't exist. Actually, for that same fundamental reason,
there is only one GNU/Linux distribution (the one that "is
superior").
Stefan
On 18/01/2025 07:34, George at Clug wrote:
Would I be correct in assuming this is because the version of Chromium
(as in its features) are being updated within Debian 12
Major browsers are an exception. Security fixes are frequent and
massive. The upstream teams do not maintain stable versions with support period comparable to Debian stable. It would be too much burden for
Debian maintainers to track and backport security fixes.
That is why latest Chromium release is available in bookworm. Firefox
and Thunderbird packages follow ESR version, so 102 to 115 to 128
updates with point releases approximately every month.
In Ubuntu it was one of the reasons why they seized building .deb
packages for browsers and switched to snap. Latest releases may rely on features unavailable in development tools from LTS distributions. A
complete container independent of the system alleviates some issues.
I like that Debian developers and maintainers are still able to build
.deb packages for browsers.
Stefan
All your post end up in the spam directory of my account on mail.com.
I need to leave them there.
On 18/01/2025 07:34, George at Clug wrote:
Would I be correct in assuming this is because the version of Chromium
(as in its features) are being updated within Debian 12
Major browsers are an exception. Security fixes are frequent and
massive. The upstream teams do not maintain stable versions with
support period comparable to Debian stable. It would be too much
burden for Debian maintainers to track and backport security fixes.
That is why latest Chromium release is available in bookworm. Firefox
and Thunderbird packages follow ESR version, so 102 to 115 to 128
updates with point releases approximately every month.
In Ubuntu it was one of the reasons why they seized building .deb
packages for browsers and switched to snap. Latest releases may rely
on features unavailable in development tools from LTS distributions. A complete container independent of the system alleviates some issues.
I like that Debian developers and maintainers are still able to build
.deb packages for browsers.
Oh I see you would rather stick your fingers in your ears and pretend all is well.
I determine what is right for me, you certainly don't
On Sat, Jan 18, 2025 at 12:14:16PM +1100, George at Clug wrote:
I rarely use backports, but when I do, I like the "adjusted and
recompiled for usage on Debian stable" part, much better that grabbing packages from other distributions and just installing them, hoping
there will not be issues. Though I had not realised that at times, a package would be moved/copied from backports into security, I would
not have expected that action, but it does make sense when you
explained it.
To be entirely clear, "at times, a package would be moved/copied from backports into security" is 100% NOT what happens.
Backporting (at least in the Debian context) has two distinct meanings:
- a specific patch or set of patches, which are prepared for a given
version of a package, are adapted to an older version of that package
- a newer version of some package is rebuilt for an older version of
Debian (using the older tools and dependencies of that older Debian
version)
Both of these may happen within the context of a security update, the
second also happens at times outside of a security context.
For the "specific set of patches" case, many open source projects only maintain a single active development branch of their project. When a
security vulnerability is announced, they fix it in that active release branch and then move on with life.
When that happens, distro maintainers that are responsible for the
security of older versions of these projects are left to grab the
patches from upstream (usually in the form of one or more git commit
diffs) and then adapt those patches to the older version. This activity
is "backporting of one or more specific patches". This is what was done recently in the case of rsync.
There is almost never a need to perform this sort of backporting outside
of a security context, though it has happened on occasion.
As far as the two types of full package backports, there is a security
reason to this and a non-security reason.
In the case of security fixes, certain projects make dedicated releases
that restrict the fixes on a given branch to security and high severity
bugs. Projects with a good reputation for this and with policies that
align well with Debian's stable release criteria include Mozilla,
Chromium, MariaDB, PostgreSQL and some others. In general, when they fix
a vulnerability, they fix it in all actively maintained branches. When
that happens and those branches include a new release in the same series
as what is in Debian stable (which is often the case), then the security
team is able to incorporate that new version of the package, build it
for Debian stable and release that as a security update (with something
like a +deb12uX version number).
The other type of full package backport is not for security reasons but
for reasons of wanting a newer version of a package (along with newer features) in an older Debian release. These packages are provided via
the backports archive, they are not given any security support, and importantly they do not conform to Debian's stable release criteria.
This means that these packages may have open security vulnerabilities,
and they may have features and behaviors which differ substantially from
what was released in Debian stable. In other words, they may break your existing whatever (programs you are compiling in the case of a library, scripts you've written in the case of an interperter, etc).
Regards,
-Roberto
--
Roberto C. Sánchez
Oh I see you would rather stick your fingers in your ears and pretend all is well.
I determine what is right for me, you certainly don't
Andy Smith (12025-01-18):
Why do you continue to post to this list
Why do you continue replying?
Why do you continue to post to this list
On Saturday, 18-01-2025 at 11:47 John Hasler wrote:
In the case of rsync Debian backported a fix. Therefor it gets the old version number with a suffix to indicate that Debian patched it. In the case of chromium upstream patched it and released the patched version
with a new version number.
So this means that a patched version from :
https://backports.debian.org/
Backports are packages taken from the next Debian release (called
"testing"), adjusted and recompiled for usage on Debian stable.
as log as we have debian-security in our apt sources we still get the security patched version without needed to do anything special like specifically installing a bookworm-backports package.
Andy Smith (12025-01-18):
Why do you continue to post to this list
Why do you continue replying?
One particular consequence of this process of making a stable release is
that generally no new features will ever come to the packages in it.
Thanks Roberto, and others who tried to explain Backporting, I will
need to read this and think about it for a while.
To make comment, I stay away from FlatPacks (the MS world tried this
kind of technology once, I wonder if they still do)?
I prefer stability and hence Debian Stable with its "not rolling
release". Even if I don't have yesterday's release, so far that has
not been an issue I cannot get around.
Nothing is "secure", just maybe more secure that other ways.
Nothing is "stable", just maybe more stable than other ways.
Andy Smith (12025-01-18):
One particular consequence of this process of making a stable release is that generally no new features will ever come to the packages in it.
No new *features* is not the point of Debian stable, though, only a side effect.
The point is: no changes in behavior.
When you upgrade to a new version of a program, maybe you need to
replace “whitelist” by “allowlist” because somebody had their fifteen minutes of celebrity by pointing it is problematic, otherwise it will
not start.
Or maybe the program you were running in a crontab will suddenly start
asking for a confirmation interactively.
Or maybe -D used to mean to not delete all the files and now, for
consistency it means to delete all the files.
When running Debian stable, you can trust the distribution it will not happen: you can upgrade, your scripts will not stop working, your
config files will not need updating.
Only need to schedule for unexpected software breakage once every two to
five years.
Regards,
--
Nicolas George
After a stable release of Debian is made, future package updates will
come from the stable-updates suite (e.g. bookworm-updates in the case
of Debian 12). These updates will in most cases contain the same version
of the software from stable suite but with a fix for one or more
security bugs built for it.
In the concrete case of rsync as recently discussed on this list, the *Debian* package version as reported by dpkg would be 3.2.7-1 when it
was originally installed from the Debian 12 release media, but would be updated to 3.2.7-1+deb12u2 through package updates that came via the bookworm-updates suite in your sources.list. All the time, the actual
program is going to report 3.2.7 when you type "rsync --version",
because that is what it is.
When you install Debian it usually enables security updates via an
-updates suite, so every user of stable should be getting security
updates.
On 18/01/2025 23:01, Andy Smith wrote:
The *-updates suite is something different from security upgrades.
To get bookworm security upgrades the necessary apt line is something like:
deb https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 40:56:23 |
| Calls: | 10,392 |
| Files: | 14,064 |
| Messages: | 6,417,207 |