Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Proposed-updates from a security standpoint

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
debianwashere
Posts: 3
Joined: 2017-03-05 11:27

Proposed-updates from a security standpoint

#1 Post by debianwashere »

From a security standpoint how much sense does it make to use proposed-updates?

CON: the packages in proposed-updates aren't supported by the security team. Apparently new versions can be added by maintainers (wholly?) unchecked.
https://www.debian.org/security/faq#proposed-updates
https://www.debian.org/security/faq#ppu

PRO: nearly the whole queue are security updates. So you get them sooner! From my experience the packages in proposed-updates pose little risk to functionality and therefore the same may apply to security.
https://release.debian.org/proposed-updates/stable.html


These are my guesses. What would a more informed opinon be?

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1388
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 65 times

Re: Proposed-updates from a security standpoint

#2 Post by None1975 »

debianwashere wrote:What would a more informed opinon be?
According Debian wiki
Official statement : As mentioned above, packages in stable-proposed-updates aren't yet officially part of Debian Stable and one should not assume is has the same quality and stability (yet!). Those new versions of the packages needs to be reviewed (by the stable release manager) and tested (by some users) before entering stable. Unofficial statement : However, the quality is usually very high (It should still be considered higher quality than Debian Testing, Backports... ) You are welcome to test those updates if you can recover minor problems (but don't test on production servers ;-).
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

emariz
Posts: 2901
Joined: 2008-10-17 07:59

Re: Proposed-updates from a security standpoint

#3 Post by emariz »

It should be noted that packages from security.debian.org are copied into the p-u-new (o-p-u-new) directory automatically. At the same time, packages that are uploaded directly to proposed-updates (oldstable-proposed-updates) are not monitored by the Debian security team.
http://www.debian.org/releases/proposed-updates

After using Proposed Updates for a couple of years, back when Squeeze was Stable (and Old Stable), I cannot remember one example of a package version which had been present in Proposed Updates but was later rejected or superseded. There might have been such a case, but I certainly do not remember it or its issues.

Then again, I also enabled all Backports, for mine was not really a critical system.

debianwashere
Posts: 3
Joined: 2017-03-05 11:27

Re: Proposed-updates from a security standpoint

#4 Post by debianwashere »

Thanks, here is where I found relevant information:
https://www.debian.org/doc/manuals/deve ... oad-stable
https://www.debian.org/doc/manuals/deve ... g-security

It says all security updates are copied to proposed-updates automatically and not uploaded there directly or exclusively. While that is the only reasonable way of making it work the queue being full of nearly just security updates confused me.


Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable? How many more features does it have? In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates? And how commonly are they made?

As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct? So how much is there really left to test in proposed-updates?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Proposed-updates from a security standpoint

#5 Post by dilberts_left_nut »

debianwashere wrote: Since we're on the topic of proposed-updates: how different is the software in proposed-updates from stable?
Not very.
How many more features does it have?
Ideally none.
In longer terms: insofar as it's possible to generalize, how significant are usually the changes to packages in proposed-updates?
As little as possible.
And how commonly are they made?
As required.

As the version of a package gets continually updated the same "version flow" should I imagine run through proposed-updates and testing. So any version in proposed-updates would once have been in testing. Is this correct?
No.Testing packages (almost) never go into stable.
So how much is there really left to test in proposed-updates?
Compatibility with the rest of stable - and for 'oopses'.
AdrianTM wrote:There's no hacker in my grandma...

debianwashere
Posts: 3
Joined: 2017-03-05 11:27

Re: Proposed-updates from a security standpoint

#6 Post by debianwashere »

Thank you for your answers. Two more questions:

According to https://lists.debian.org/debian-devel-a ... 00010.html stable updates is a subset of proposed-updates. As proposed-updates are not supported by the security team are then stable updates also unsupported? Nowhere have I found the relation between stable updates and security explicity stated. It only really says they're two different channels for updates.

According to http://unix.stackexchange.com/questions ... ibutions-i everything from proposed-updates goes to stable when a point release is made. Is this true or does this claim actually hold for stable updates?

Post Reply