Proposed-updates from a security standpoint

If none of the more specific forums is the right place to ask

Proposed-updates from a security standpoint

Postby debianwashere » 2017-03-05 11:38

From a security standpoint how much sense does it make to use proposed-updates?

CON: the packages in proposed-updates aren't supported by the security team. Apparently new versions can be added by maintainers (wholly?) unchecked.
https://www.debian.org/security/faq#proposed-updates
https://www.debian.org/security/faq#ppu

PRO: nearly the whole queue are security updates. So you get them sooner! From my experience the packages in proposed-updates pose little risk to functionality and therefore the same may apply to security.
https://release.debian.org/proposed-updates/stable.html


These are my guesses. What would a more informed opinon be?
debianwashere
 
Posts: 3
Joined: 2017-03-05 11:27

Re: Proposed-updates from a security standpoint

Postby None1975 » 2017-03-06 12:24

debianwashere wrote:What would a more informed opinon be?

According Debian wiki
Official statement : As mentioned above, packages in stable-proposed-updates aren't yet officially part of Debian Stable and one should not assume is has the same quality and stability (yet!). Those new versions of the packages needs to be reviewed (by the stable release manager) and tested (by some users) before entering stable. Unofficial statement : However, the quality is usually very high (It should still be considered higher quality than Debian Testing, Backports... ) You are welcome to test those updates if you can recover minor problems (but don't test on production servers ;-).
Image
User avatar
None1975
 
Posts: 72
Joined: 2015-11-29 18:23

Re: Proposed-updates from a security standpoint

Postby emariz » 2017-03-07 03:30

It should be noted that packages from security.debian.org are copied into the p-u-new (o-p-u-new) directory automatically. At the same time, packages that are uploaded directly to proposed-updates (oldstable-proposed-updates) are not monitored by the Debian security team.

http://www.debian.org/releases/proposed-updates

After using Proposed Updates for a couple of years, back when Squeeze was Stable (and Old Stable), I cannot remember one example of a package version which had been present in Proposed Updates but was later rejected or superseded. There might have been such a case, but I certainly do not remember it or its issues.

Then again, I also enabled all Backports, for mine was not really a critical system.
emariz
 
Posts: 2881
Joined: 2008-10-17 07:59

Re: Proposed-updates from a security standpoint

Postby debianwashere » 2017-03-08 07:13

Thanks, here is where I found relevant information:
https://www.debian.org/doc/manuals/deve ... oad-stable
https://www.debian.org/doc/manuals/deve ... g-security

It says all security updates are copied to proposed-updates automatically and not uploaded there directly or exclusively. While that is the only reasonable way of making it work the queue being full of nearly just security updates confused me.


Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable? How many more features does it have? In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates? And how commonly are they made?

As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct? So how much is there really left to test in proposed-updates?
debianwashere
 
Posts: 3
Joined: 2017-03-05 11:27

Re: Proposed-updates from a security standpoint

Postby dilberts_left_nut » 2017-03-08 08:21

debianwashere wrote:Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable?
Not very.
How many more features does it have?
Ideally none.
In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates?
As little as possible.
And how commonly are they made?
As required.

As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct?
No.Testing packages (almost) never go into stable.
So how much is there really left to test in proposed-updates?
Compatibility with the rest of stable - and for 'oopses'.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4548
Joined: 2009-10-05 07:54
Location: enzed

Re: Proposed-updates from a security standpoint

Postby debianwashere » 2017-03-18 16:12

Thank you for your answers. Two more questions:

According to https://lists.debian.org/debian-devel-a ... 00010.html stable updates is a subset of proposed-updates. As proposed-updates are not supported by the security team are then stable updates also unsupported? Nowhere have I found the relation between stable updates and security explicity stated. It only really says they're two different channels for updates.

According to http://unix.stackexchange.com/questions ... ibutions-i everything from proposed-updates goes to stable when a point release is made. Is this true or does this claim actually hold for stable updates?
debianwashere
 
Posts: 3
Joined: 2017-03-05 11:27


Return to General Questions

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable