From a security standpoint how much sense does it make to use proposed-updates?
CON: the packages in proposed-updates aren't supported by the security team. Apparently new versions can be added by maintainers (wholly?) unchecked.
https://www.debian.org/security/faq#proposed-updates
https://www.debian.org/security/faq#ppu
PRO: nearly the whole queue are security updates. So you get them sooner! From my experience the packages in proposed-updates pose little risk to functionality and therefore the same may apply to security.
https://release.debian.org/proposed-updates/stable.html
These are my guesses. What would a more informed opinon be?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Proposed-updates from a security standpoint
- None1975
- df -h | participant
- Posts: 1404
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 46 times
- Been thanked: 70 times
Re: Proposed-updates from a security standpoint
According Debian wikidebianwashere wrote:What would a more informed opinon be?
Official statement : As mentioned above, packages in stable-proposed-updates aren't yet officially part of Debian Stable and one should not assume is has the same quality and stability (yet!). Those new versions of the packages needs to be reviewed (by the stable release manager) and tested (by some users) before entering stable. Unofficial statement : However, the quality is usually very high (It should still be considered higher quality than Debian Testing, Backports... ) You are welcome to test those updates if you can recover minor problems (but don't test on production servers .
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
Re: Proposed-updates from a security standpoint
http://www.debian.org/releases/proposed-updatesIt should be noted that packages from security.debian.org are copied into the p-u-new (o-p-u-new) directory automatically. At the same time, packages that are uploaded directly to proposed-updates (oldstable-proposed-updates) are not monitored by the Debian security team.
After using Proposed Updates for a couple of years, back when Squeeze was Stable (and Old Stable), I cannot remember one example of a package version which had been present in Proposed Updates but was later rejected or superseded. There might have been such a case, but I certainly do not remember it or its issues.
Then again, I also enabled all Backports, for mine was not really a critical system.
-
- Posts: 3
- Joined: 2017-03-05 11:27
Re: Proposed-updates from a security standpoint
Thanks, here is where I found relevant information:
https://www.debian.org/doc/manuals/deve ... oad-stable
https://www.debian.org/doc/manuals/deve ... g-security
It says all security updates are copied to proposed-updates automatically and not uploaded there directly or exclusively. While that is the only reasonable way of making it work the queue being full of nearly just security updates confused me.
Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable? How many more features does it have? In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates? And how commonly are they made?
As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct? So how much is there really left to test in proposed-updates?
https://www.debian.org/doc/manuals/deve ... oad-stable
https://www.debian.org/doc/manuals/deve ... g-security
It says all security updates are copied to proposed-updates automatically and not uploaded there directly or exclusively. While that is the only reasonable way of making it work the queue being full of nearly just security updates confused me.
Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable? How many more features does it have? In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates? And how commonly are they made?
As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct? So how much is there really left to test in proposed-updates?
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Proposed-updates from a security standpoint
Not very.debianwashere wrote: Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable?
Ideally none.How many more features does it have?
As little as possible.In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates?
As required.And how commonly are they made?
No.Testing packages (almost) never go into stable.
As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct?
Compatibility with the rest of stable - and for 'oopses'.So how much is there really left to test in proposed-updates?
AdrianTM wrote:There's no hacker in my grandma...
-
- Posts: 3
- Joined: 2017-03-05 11:27
Re: Proposed-updates from a security standpoint
Thank you for your answers. Two more questions:
According to https://lists.debian.org/debian-devel-a ... 00010.html stable updates is a subset of proposed-updates. As proposed-updates are not supported by the security team are then stable updates also unsupported? Nowhere have I found the relation between stable updates and security explicity stated. It only really says they're two different channels for updates.
According to http://unix.stackexchange.com/questions ... ibutions-i everything from proposed-updates goes to stable when a point release is made. Is this true or does this claim actually hold for stable updates?
According to https://lists.debian.org/debian-devel-a ... 00010.html stable updates is a subset of proposed-updates. As proposed-updates are not supported by the security team are then stable updates also unsupported? Nowhere have I found the relation between stable updates and security explicity stated. It only really says they're two different channels for updates.
According to http://unix.stackexchange.com/questions ... ibutions-i everything from proposed-updates goes to stable when a point release is made. Is this true or does this claim actually hold for stable updates?