The officially official Devuan Forum!

You are not logged in.

#1 2017-08-10 06:36:19

leloft
Member
Registered: 2017-08-10
Posts: 15  

Security updates for devuan jessie

New forum member greets the community.  Very happy with devuan: running it on all seven machines at work.  Finding it extremely stable even under heavily loaded production machines.  Well done you all!  I am struggling to understand how to apt-get security updates now that debian jessie has gone oldstable.  Could I ask a possibly dumb question please.

What should I have in my sources.list to keep my devuan jessie up to date.?I am particularly concerned with the 23 CVEs in the security advisory 3926-1 (chromium) and the 10 CVEs in 3927-1 (kernel), although the debian oldstable patches are not yet available for the kernel.  I only run chromium on two of the machines, chrome on a third, the rest are headless.

So: should I upgrade chromium to chrome and use the google repository, or is there an additional repository that I should include in sources.list to keep things devuan.  I am not getting any updates at all at the moment.

Hope it's not too dumb a question.

Many Thanks for the hard work going on behind the scenes.  It's very much appreciated.

Offline

#2 2017-08-10 08:51:35

darry1966
Member
Registered: 2017-06-14
Posts: 82  

Re: Security updates for devuan jessie

Fist of all Welcome to Devuan.

Jessie is supported until April 2020.  There is a Devuan Backports repo.
Explanation of what backports is
https://backports.debian.org/Instructions/

Setting up Backports in Devuan (Not Debian)
https://devuan.org/os/etc/apt/sources.list

Offline

#3 2017-08-10 22:24:06

garyz.dev1
Member
From: U.S.-South Carolina
Registered: 2017-06-15
Posts: 89  

Re: Security updates for devuan jessie

What does the /etc/apt/sources.list show -- can you list it for us?

Offline

#4 2017-08-11 06:50:55

leloft
Member
Registered: 2017-08-10
Posts: 15  

Re: Security updates for devuan jessie

garyz.dev1 wrote:

What does the /etc/apt/sources.list show -- can you list it for us?

# deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

#deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

deb http://auto.mirror.devuan.org/merged/ jessie main
#deb-src http://gb.mirror.devuan.org/merged/ jessie main

# jessie-security, previously known as 'volatile'
deb http://packages.devuan.org/merged/ jessie-security main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-security main

# jessie-updates, previously known as 'volatile'
deb http://auto.mirror.devuan.org/merged/ jessie-updates main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-updates main

# jessie-backports, previously on backports.debian.org
deb http://auto.mirror.devuan.org/merged/ jessie-backports main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-backports main

# Devuan repositories
deb http://packages.devuan.org/merged jessie main
#deb-src http://packages.devuan.org/merged jessie main

deb http://auto.mirror.devuan.org/devuan jessie-proposed main
#deb-src http://auto.mirror.devuan.org/devuan jessie-proposed main

Thanks for your responses

Offline

#5 2017-08-11 07:24:38

darry1966
Member
Registered: 2017-06-14
Posts: 82  

Re: Security updates for devuan jessie

Well you have backports and security repos enabled so thats what you need.

Offline

#6 2017-08-11 09:56:04

leloft
Member
Registered: 2017-08-10
Posts: 15  

Re: Security updates for devuan jessie

darry1966 wrote:

Well you have backports and security repos enabled so thats what you need.

$ cat /var/log/apt/history.log.1 | tail -n 5

Start-Date: 2017-07-29  10:17:48
Commandline: apt-get upgrade
Upgrade: mysql-server-core-5.5:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), mysql-server-5.5:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), mysql-client:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), mysql-client-5.5:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), mysql-common:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), libmysqlclient18:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1), mysql-server:amd64 (5.5.55-0+deb8u1, 5.5.57-0+deb8u1)
End-Date: 2017-07-29  10:18:21

$ cat /var/log/apt/history.log

Start-Date: 2017-08-05  08:43:27
Commandline: apt-get install --reinstall devuan-keyring
Reinstall: devuan-keyring:amd64 (2016.11.22)
End-Date: 2017-08-05  08:43:30

Start-Date: 2017-08-11  10:51:39
Commandline: apt-get upgrade
Upgrade: geoip-database:amd64 (20170512-1~bpo8+1, 20170713-1~bpo9+1), libsoup2.4-1:amd64 (2.48.0-1, 2.48.0-1+deb8u1), fonts-opensymbol:amd64 (102.7+LibO5.2.7-1~bpo8+1, 102.10+LibO5.4.0-1~bpo9+1), libsoup-gnome2.4-1:amd64 (2.48.0-1, 2.48.0-1+deb8u1), libreoffice-nlpsolver:amd64 (0.9+LibO5.2.7-1~bpo8+1, 0.9+LibO5.4.0-1~bpo9+1), manpages-dev:amd64 (4.10-2~bpo8+1, 4.12-1~bpo9+1), manpages:amd64 (4.10-2~bpo8+1, 4.12-1~bpo9+1), libreoffice-wiki-publisher:amd64 (1.2.0+LibO5.2.7-1~bpo8+1, 1.2.0+LibO5.4.0-1~bpo9+1), libreoffice-librelogo:amd64 (5.2.7-1~bpo8+1, 5.4.0-1~bpo9+1), linux-libc-dev:amd64 (4.9.30-2+deb9u2~bpo8+1, 4.11.6-1~bpo9+1)
End-Date: 2017-08-11  10:52:21

# apt-get update && apt-get -t jessie-backports install chromium
Reading package lists...
Building dependency tree...
Reading state information...
chromium is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.

#apt-get -t stretch-backports install chromium
Reading package lists...
Building dependency tree...
Reading state information...
chromium is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.

$ apt-cache show chromium | sed -n 1,3p
Package: chromium
Source: chromium-browser
Version: 57.0.2987.98-1~deb8u1

_________________________________________________________________
Debian Security Advisory DSA-3926-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
August 04, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5087 CVE-2017-5088 CVE-2017-5089 CVE-2017-5091
                 CVE-2017-5092 CVE-2017-5093 CVE-2017-5094 CVE-2017-5095
                 CVE-2017-5097 CVE-2017-5098 CVE-2017-5099 CVE-2017-5100
                 CVE-2017-5101 CVE-2017-5102 CVE-2017-5103 CVE-2017-5104
                 CVE-2017-5105 CVE-2017-5106 CVE-2017-5107 CVE-2017-5108
                 CVE-2017-5109 CVE-2017-5110 CVE-2017-7000

For the stable distribution (stretch), these problems have been fixed in
version 60.0.3112.78-1~deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 60.0.3112.78-1 or earlier versions.
__________________________________________________________________

So what am I doing wrong?  Any help with the following four questions would be appreciated.

Q1. Why is apt not replacing chromium v57 with v60? 
Q2. Why are there no log entries for the failed updates, which included an aborted 'unauthenticated packages' warning which prompted the reinstallion of devuan-keyring and the subsequent apt-key update?
Q3. Devuan bug report logs - #24 devuan-project: Cannot update Chromium (https://bugs.devuan.org/db/24/24.html) refers to a solution at  https://dev1galaxy.org/viewtopic.php?id=444, but the link is broken.  Does anyone have a working link?
Q4. Why am I not getting any security updates at all: kernel and postgresql are still unpatched, but the jessie-
and stretch-backports updates worked ok?

Any ideas what might be going on?

Many Thanks

Offline

#7 2017-08-11 12:16:31

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,409  

Re: Security updates for devuan jessie

I'll take the easy ones...

Q1: You won't get chromium  v.60 in jessie because it's not there. 57 is in jessie and jessie-security. In fact, you won't get 60 in ascii or stretch, either. It's 59 there. Chromium-60 is in ceres/sid. I don't see any chromium in jessie-backports. (Note: I hope your "stretch-backports" is a typo. Don't use debian repos in your sources.)

Q3: The link works fine here. Maybe you tried to access it yesterday during forum maintenance. It's a thread about problems upgrading to chromium 56 or 57, back in March. Probably not relevant.

The following is for informational purposes. If you can get output that looks like this, you are in deep trouble. Don't use debian repos in your sources. (If I ever do an upgrade without fixing my sources first, I'm screwed.)

apt-cache policy chromium
chromium:
  Installed: 57.0.2987.98-1~deb8u1
  Candidate: 57.0.2987.98-1~deb8u1
  Version table:
     60.0.3112.78-1 0
         10 http://debian.csail.mit.edu/debian/ buster/main amd64 Packages
         10 http://debian.csail.mit.edu/debian/ sid/main amd64 Packages
        100 http://auto.mirror.devuan.org/merged/ ceres/main amd64 Packages
     59.0.3071.86-1 0
         10 http://debian.csail.mit.edu/debian/ stretch/main amd64 Packages
        100 http://us.mirror.devuan.org/merged/ ascii/main amd64 Packages
 *** 57.0.2987.98-1~deb8u1 0
        500 http://us.mirror.devuan.org/merged/ jessie/main amd64 Packages
        500 http://auto.mirror.devuan.org/merged/ jessie-security/main amd64 Packages
        100 /var/lib/dpkg/status

Offline

#8 2017-08-11 15:43:12

Somewhat Reticent
Member
Registered: 2017-04-06
Posts: 103  

Re: Security updates for devuan jessie

For keeping up with rapidly-changing apps, would (something like) a "fire-jail-ed" "appimage" make more sense?
Expecting speedy service on oldstable seems ludicrous.

Offline

#9 2017-08-11 16:07:56

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Security updates for devuan jessie

Is it possible you have auto-updates/unattended-updates turned on?  If you do there is nothing
for you to ever upgrade.  I've only larked around jessie for the amount of time it takes to switch
repositories, update/upgrade and go upstream.
Jessie was stable for debian last month, so we are a few weeks behind.  Big deal, try Arch if you
don't worry about security bugs popping up all the time about what you have been running for
months if not years. 

If you chose an off distribution package that does not bring any dependencies on of its own or even
worse replacing some of the existing ones, at worse case scenario it may not work.  If you mix
match dependencies then you are on your own and things may get irreversibly messed up.

Then there is the case of someone jumping up to testing or unstable, don't like how things work and
reverses back to stable and expects updates.  They may not come for months or even years unless
they are a security patch that affects everyone. 

Replacing common dependency packages with something newer will have the same ill effects on the
rest of the system whether you jail the package or not.

Offline

#10 2017-08-12 11:49:03

gnath
Member
From: city of joy
Registered: 2017-08-12
Posts: 9  

Re: Security updates for devuan jessie

Hi,

My devuan  ascii also not getting any updates since last few days. This may be fine , but I am really
worried about " ascii-security".According to DSA , few packages need to be upgraded for my system
( firefox-esr etc.). Apart from " rsyslog " my system is also stable for now.

Regards,

Last edited by gnath (2017-08-12 14:36:25)

Offline

#11 2017-08-12 17:30:18

garyz.dev1
Member
From: U.S.-South Carolina
Registered: 2017-06-15
Posts: 89  

Re: Security updates for devuan jessie

@gnath  - did you backport 'rsyslog' or replace it ??  there are two suggested replacements - I did one of them
'
AFAIK - there aren't really any 'updates' published for ASCII- they are still working on the alpha version.
You might take the DSA info (not familiar with it) and do a manual apt-get on the specific packages.
[all part of testing a new distro - please report any findings or updates]  the devs might incorporate
some of the changes as needed for the ascii-alpha
hopefully helpful

Offline

#12 2017-08-13 14:42:12

gnath
Member
From: city of joy
Registered: 2017-08-12
Posts: 9  

Re: Security updates for devuan jessie

@garyz.dev1-
My system was updated from devuan jessie, which was a clean install from devuan DVD installer. I only have
devuan ascii-updates & ascii-security, no backport or proposed.What is other choice? Dist-upgrade have given

rsyslog : Depends: liblognorm2 (>= 1.1.2) which is a virtual package. 
State: installed (8.4.2-1+deb8u2), upgrade available (8.14.0-2+devuan1.0)

Devuan community are really helpful.I know the dev's are pre-occupied and updates will be available when ready.
Devuan security updates probably come from Debian Security Advisory (DSA) published on debian main page.
These updates covers related CVE's for debian packages like firefox-esr, linux (kernel), chromium-browser,
postgresql ( @leloft ) etc. for respective suits.
I incorporated debian security repo. in my sources.list as

deb http://security.debian.org/ stretch/updates main contrib non-free 

and received few updates also last night including above first two packages. Ensured that does not include
devuan packages.This may not be the right way, but for time being ascii users may like this path.

Regards,

Last edited by gnath (2017-08-13 15:08:54)

Offline

#13 2017-08-13 16:31:12

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Re: Security updates for devuan jessie

To get around the liblognorm2 dependency,  install rsyslog from backports or else replace it with syslog-ng or busybox-syslogd.

Not a good idea to use Debian repos directly.  Could possibly get some systemd  'stuff' and the numbering will be different from  devuan's merged repo which could affect updates down the line.

Online

#14 2017-08-14 10:54:58

gnath
Member
From: city of joy
Registered: 2017-08-12
Posts: 9  

Re: Security updates for devuan jessie

Thanks for your concern. True this is not right. I have only ascii, -updates, -security & don't mix repo.
I am fine with present rsyslog & waiting for update. Shall try other two for enhanced functionality.

I was tempted for the security updates only for forked firefox-esr & linux-image- as those were not
available from ascii-security. Checked for any systemd intrusion other than libsystemd0 which is already
in my ascii. Those two pakg's are being most used. I use ascii & ceres knowing well their implications.
As a general user I shall not try for the same and wait for better. Ver. no. will not be problem for forked
debian packages. You would appreciate that in unix/linux world declared exposer has its own importance
at least for stable server/production system. Regular updates of any repo will be healthy sign for a distro.

Regards,

Offline

#15 2017-08-14 15:11:49

Ogis1975
Member
Registered: 2017-04-21
Posts: 307  
Website

Re: Security updates for devuan jessie

fsmithred wrote:

In fact, you won't get 60 in ascii or stretch, either. It's 59 there. Chromium-60 is in ceres/sid.

Hello. You are wrong . Chromium version in Stretch is 60.0.3112.78

 apt-cache policy chromium
chromium:
  Įdiegta:    60.0.3112.78-1~deb9u1
  Kandidatas: 60.0.3112.78-1~deb9u1
  Versijų lentelė:
 *** 60.0.3112.78-1~deb9u1 500
        500 http://deb.debian.org/debian-security stretch/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     59.0.3071.86-1 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages]

But in Jessie, Chromium is 57.0.2987.98-1.
Sorry. I don't understand Devuan security policies

Last edited by Ogis1975 (2017-08-14 15:18:43)


What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
            ----+- Peter Kropotkin -+----

Offline

#16 2017-08-14 16:17:46

garyz.dev1
Member
From: U.S.-South Carolina
Registered: 2017-06-15
Posts: 89  

Re: Security updates for devuan jessie

@gnath & @Ogis1975  you both are using debian-security  sources. {it appears to me}
I think this is the 'mixed repos' that @golinux was refering to;
and that is why there is a difference in the version numbers
'
I do believe Devuan Jessie is the Debian-oldstable (has some systemd-stuff)
Devuan ASCII is our next release that won't have systemd-stuff -
  ( I don't think there is a direct cross from Debian series)
AFAIK Devuan relies on Debian packages/etc  UNLESS they have some systemd-stuff
'
Devuan modified packages come first then filled in with Debian
'
HTH - GaryZ

Offline

#17 2017-08-14 18:47:47

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,409  

Re: Security updates for devuan jessie

Ogis1975 wrote:
fsmithred wrote:

In fact, you won't get 60 in ascii or stretch, either. It's 59 there. Chromium-60 is in ceres/sid.

Hello. You are wrong . Chromium version in Stretch is 60.0.3112.78

I'm not entirely wrong. 59 is in stretch and 60 is in stretch-security, which I did not enable. Guess I should do that if I want to see all versions.

About mixing repos: I don't know what these other folks are running, but I always disable all the extra repos before I install anything or upgrade. They are only enabled so I can see all versions with 'apt-cache policy <package>'.

Offline

#18 2017-09-02 07:44:44

leloft
Member
Registered: 2017-08-10
Posts: 15  

Re: Security updates for devuan jessie

I can offer half an answer to my own question (Q2, post#6):

If Amprolla is down or otherwise unavailable, apt-get appears to use the underlying debian repos in consequence.  This results in a whole bunch of unauthenticated packages (because I have the devuan keyring not the debian) including packages which are normally held back.  Although this constitutes using mixed repos, it appears like normal behaviour to apt-get, and so it simply gets logged as a striaghtforward upgrade.  This has happened three times now: it appears that this behaviour is reproducible.  I don't know enough to call it a bug, but it seems serious enough to warrant flagging up.  Perhaps someone who knows more than me could confirm and escalate if necessary.  For the rest of us noobs, just exercise caution if Amprolla is unavailable.

Offline

#19 2017-09-02 10:08:12

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Security updates for devuan jessie

This makes some sense and explains some breakage in ascii/ceres where the block on sysD dependencies may not be as effective yet.  So, would a solution be to remove or mess up the Debian keyring so nothing that is not in Devuan comes in?  I have noticed times with the devuan repositories either being slow or partially available (2 may work one produces errors) which questions the above.  If it automatically switches to debian when devuan is not available how come the error is produced?
I've had one installation left where between X and dm the input devices freeze, which never happens in debian or other installations.  Unplugging and plugging them back (usb) fixes the problem till next reboot.  It happened on cers then days later in ascii.  I dumped the ceres and kept the ascii.  This is more than a month ago.  I have two other installations both running ascii with very similar setup to starting and the problem never occurred.  I never touched any X configuration, it is all as it was installed and happens with all dm that I tried.
Leloft's explanation is the only logical I have found, a mix-match of devuan/debian upgrades.

Offline

#20 2017-09-02 11:48:10

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Security updates for devuan jessie

$ ls /etc/apt/trusted.gpg.d

-rw-r--r-- 1 root root 7.4K May 25 21:17 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7.4K May 25 21:17 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K May 25 21:17 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 3.6K Nov 22  2016 devuan-keyring-2016-archive.gpg
-rw-r--r-- 1 root root 2.2K Nov 22  2016 devuan-keyring-2016-cdimage.gpg
-rw-r--r-- 1 root root 5.1K Nov 30  2014 debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5.1K Nov 30  2014 debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2.8K Nov 30  2014 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 3.7K Nov 30  2014 debian-archive-wheezy-automatic.gpg
-rw-r--r-- 1 root root 2.8K Nov 30  2014 debian-archive-wheezy-stable.gpg

to

$ ls /etc/apt/trusted.gpg.d

-rw-r--r-- 1 root root 3.6K Nov 22  2016 devuan-keyring-2016-archive.gpg
-rw-r--r-- 1 root root 2.2K Nov 22  2016 devuan-keyring-2016-cdimage.gpg

Should something like this produce errors, or only devuan specific packages come from devuan and the rest from debian?

Offline

#21 2017-09-02 11:50:40

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,409  

Re: Security updates for devuan jessie

leloft wrote:

I can offer half an answer to my own question (Q2, post#6):

If Amprolla is down or otherwise unavailable, apt-get appears to use the underlying debian repos in consequence.  This results in a whole bunch of unauthenticated packages (because I have the devuan keyring not the debian) including packages which are normally held back.  Although this constitutes using mixed repos, it appears like normal behaviour to apt-get, and so it simply gets logged as a striaghtforward upgrade.  This has happened three times now: it appears that this behaviour is reproducible.  I don't know enough to call it a bug, but it seems serious enough to warrant flagging up.  Perhaps someone who knows more than me could confirm and escalate if necessary.  For the rest of us noobs, just exercise caution if Amprolla is unavailable.

I checked with someone who knows more than both of us put together (CenturionDan):

if that happens then there is a debian stanza in either /etc/apt/sources or /etc/apt/sources.d/

Offline

#22 2017-09-02 13:09:37

leloft
Member
Registered: 2017-08-10
Posts: 15  

Re: Security updates for devuan jessie

fsmithred wrote:

I checked with someone who knows more than both of us put together (CenturionDan):

if that happens then there is a debian stanza in either /etc/apt/sources or /etc/apt/sources.d/

Can't see it:

$ ls -al /etc/apt
total 84
drwxr-xr-x   6 root root  4096 Sep  1 09:03 .
drwxr-xr-x 126 root root 12288 Sep  2 05:14 ..
drwxr-xr-x   2 root root  4096 Sep  1 09:03 apt.conf.d
-rw-r--r--   1 root root    99 Sep  1 09:03 listchanges.conf
drwxr-xr-x   2 root root  4096 Sep  1 09:03 preferences.d
-rw-r--r--   1 root root  1240 Sep  1 09:03 sources.list
-rw-r--r--   1 root root     0 Sep  1 09:03 sources.list~
drwxr-xr-x   2 root root  4096 Sep  1 09:03 sources.list.d
-rw-r--r--   1 root root 40508 Sep  1 09:03 trusted.gpg
-rw-r--r--   1 root root  3530 Sep  1 09:03 trusted.gpg~
drwxr-xr-x   2 root root  4096 Sep  1 09:03 trusted.gpg.d

$ ls -al /etc/apt/sources.list.d
total 12
drwxr-xr-x 2 root root 4096 Sep  1 09:03 .
drwxr-xr-x 6 root root 4096 Sep  1 09:03 ..
-rw-r--r-- 1 root root  247 Sep  1 09:03 devuan.list

$ cat /etc/apt/sources.list.d/devuan.list
# autogenerated by devuan-baseconf
# decomment following lines to  enable the developers devuan repository
#deb http://packages.devuan.org/devuan jessie main contrib non-free
#deb-src http://packages.devuan.org/devuan jessie main contrib non-free

$ cat /etc/apt/sources.list
#
deb http://linux-libre.fsfla.org/pub/linux-libre/freesh freesh main

# deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

#deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

deb http://auto.mirror.devuan.org/merged/ jessie main
#deb-src http://gb.mirror.devuan.org/merged/ jessie main

# jessie-security, previously known as 'volatile'
deb http://packages.devuan.org/merged/ jessie-security main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-security main

# jessie-updates, previously known as 'volatile'
deb http://auto.mirror.devuan.org/merged/ jessie-updates main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-updates main

# jessie-backports, previously on backports.debian.org
#deb http://auto.mirror.devuan.org/merged/ jessie-backports main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-backports main

#Devuan repositories
deb http://packages.devuan.org/merged jessie main
#deb-src http://packages.devuan.org/merged jessie main

Silly question for my own clarity: are CenturianDan's '/etc/apt/sources' and '/etc/apt/sources.d'  missing from my '/etc/apt/*' or are they shorthand for '/etc/apt/sources.list' and '/etc/apt/sources.list.d'? Where else should I be looking?  Sorry if i've missed the point.

Offline

#23 2017-09-02 18:20:54

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Security updates for devuan jessie

Don't use backports unless there is a specific reason you want a backport.  Backports make sense in oldstable in debian as there are several editions.  Here we only have one.  I made the same mistake earlier on my devuan student session.  So everything looks fine. 
In my opinion, as light as it may be, this jessie was too early to be called 1.0, it should have retained its beta tag till ascii gets finished/audited.  Ascii seems barely started, and stretch on the other side seems a bit problematic as compared to previous stable editions.  If I am not mistaken, stretch went into freeze for the longest time in debian history.  Unlucky timing for devuan?  Jessie 8 had more than 500 bug tickets open before stretch became stable.
One systemd mess chasing another.

RIP good old wheezy

Offline

#24 2017-09-02 20:59:34

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,409  

Re: Security updates for devuan jessie

leloft,

I'm sure Dan meant sources.list and sources.list.d. I don't see any debian sources in what you posted. What packages did you get from debian that you should not have gotten?

Offline

#25 2017-09-02 21:31:35

sgage
Member
Registered: 2016-12-01
Posts: 339  

Re: Security updates for devuan jessie

fungus wrote:

In my opinion, as light as it may be, this jessie was too early to be called 1.0, it should have retained its beta tag till ascii gets finished/audited.  Ascii seems barely started, and stretch on the other side seems a bit problematic as compared to previous stable editions.  If I am not mistaken, stretch went into freeze for the longest time in debian history.  Unlucky timing for devuan?  Jessie 8 had more than 500 bug tickets open before stretch became stable.
One systemd mess chasing another.

In my opinion, the mistake wasn't calling jessie stable, it was calling it jessie! Of course, jessie is Devuan stable, but jessie is Debian oldstable. Debian stable is stretch, but the Devuan branch that tracks stretch is not even alpha - call it testing. So people say 'jessie', or 'stable' or 'testing' or this or that, and it gets very confusing very fast. Whose stable? Which jessie? Yes, often you can tell from context, but sometimes not so much.

And yes, Debian is dealing with one systemd mess chasing another... I did some testing with Stretch this morning, and I feel like I need to take a shower :-)  I don't think it's any stretch (ha ha!) to say that systemd disgusts me. I'm back to my usual dual-boot between ascii and (Devuan!) jessie...

Offline

Board footer