The officially official Devuan Forum!

You are not logged in.

#26 2017-09-03 16:03:37

garyz.dev1
Member
Registered: 2017-06-15
Posts: 78

Re: Security updates for devuan jessie

When you folks talk about 'testing' a distro - what do you do??
I load them and run some Internet stuff, check my audio, and a terminal, a 'notepad-type' editor.
ya' know - basic workhorse stuff  - I'm not artistic, musical

Should I be doing - graphics?, playing with different 'themes' and desktop environments?
IMO 'themes' are pretty much a ....  - I know  - Linux is about 'freedom of choice"!!
( 5 or 6 basic color combination is all that is needed )  - - it seems that about 25% of trouble tickets
are related to font size in so-and-so DE, or a panel/menu doesn't fade/overlay/align!!
'
Well wait a minute - Gary  :: Linux has a work side and a fun size   -- OKAY - back on track
It is a question - I want to try and help Devuan debug ascii and ceres .
TIA

Offline

#27 2017-09-06 08:52:46

leloft
Member
Registered: 2017-08-10
Posts: 13

Re: Security updates for devuan jessie

fsmithred wrote:

What packages did you get from debian that you should not have gotten?

I wish I could answer that with any degree of confidence.  After the unauthorized packages incident, I uninstalled as much as I could remember flashing passed me in the terminal. Due to the incomplete logs, I could only guess.  Is there a way to compare installed packages with those held in devuan repositories on a system-wide basis, not an individual package basis?

I have tried three times to offer a better answer to your question, but I keep getting timed out.  I exported the apt-get purge and reinstall sequence of packages, but it runs to over 1000 words which I feel is too long to post, although I am happy to email or otherwise provide it if that would help.  However, a better solution would be to see if I have any 'debian-native, non-devuan' packages installed. and post the results of that.  So any pointers on what commands would achieve that would be most helpful.
Many thanks

f

Offline

#28 2017-09-06 11:47:19

fsmithred
Administrator
Registered: 2016-11-25
Posts: 378

Re: Security updates for devuan jessie

You posted the following. There's no error message saying that stretch-backports does not exist, so you must have had stretch-backports in your sources at some point:

#apt-get -t stretch-backports install chromium
Reading package lists...
Building dependency tree...
Reading state information...
chromium is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.


To see if you pulled in packages from backports or testing, you can run

aptitude search ~i -F"%p# %v# %t#"

but I'm not sure it will be entirely accurate. I'm running jessie, and it shows most of my packages are from "stable" with a few from "jessie-backports". If there are packages from ascii or stretch, they should show up as "testing".

For packages that have not been devuanized, you won't be able to tell whether you pulled it from debian or devuan unless you can find a version mismatch, Where debian has a different version than devuan, and you have installed the version from debian. Right now, the only example I can think of is chromium-60 in stretch security vs. chromium-59 from ascii. If you were running ascii and had chromium-60 running and you didn't get it from the ceres repo, you would have gotten it from debian.


For reference, here are some other useful commands: https://dev1galaxy.org/viewtopic.php?id=511

Offline

#29 2017-09-06 14:09:37

leloft
Member
Registered: 2017-08-10
Posts: 13

Re: Security updates for devuan jessie

fsmithred wrote:

To see if you pulled in packages from backports or testing, you can run

aptitude search ~i -F"%p# %v# %t#"

Clean bill of health: piping this through 'grep backports' or 'grep testing' returns nothing. 
.
Many thanks for this most helpful answer.

Edit:
Although piping it through 'grep bpo9' turned up:

geoip-database                         20170713-1~bpo9+1                       
manpages                               4.12-1~bpo9+1                           
manpages-dev                           4.12-1~bpo9+1

which I have now uninstalled and reinstalled from jessie-backports:

piping it through 'grep geoip-database' gives
geoip-database                         20170512-1~bpo8+1      jessie-backports

and through 'grep manpages' gives
manpages                               3.74-1                 jessie-backports 
manpages-dev                           3.74-1                 jessie-backports

and through 'bpo9' gives nothing.

So now I have to figure how stretch-backports got into the sources.list and check my other machines.

But i'd like to repeat my thanks for such a helpful answer.

Last edited by leloft (2017-09-06 15:40:21)

Offline

#30 2017-09-06 15:26:29

fsmithred
Administrator
Registered: 2016-11-25
Posts: 378

Re: Security updates for devuan jessie

What you find depends on how you look. I just added this line to my sources:

deb http://auto.mirror.devuan.org/merged ascii-proposed-updates main contrib non-free

And now I see this - chromium-60 is in ascii-proposed-updates

# apt-cache policy chromium
chromium:
  Installed: 57.0.2987.98-1~deb8u1
  Candidate: 57.0.2987.98-1~deb8u1
  Version table:
     60.0.3112.78-1~deb9u1 0
        100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main amd64 Packages
     59.0.3071.86-1 0
        100 http://us.mirror.devuan.org/merged/ ascii/main amd64 Packages
 *** 57.0.2987.98-1~deb8u1 0
        500 http://us.mirror.devuan.org/merged/ jessie/main amd64 Packages
        500 http://auto.mirror.devuan.org/merged/ jessie-security/main amd64 Packages
        100 /var/lib/dpkg/status

Offline

#31 2017-09-07 12:35:11

gnath
Member
From: city of joy
Registered: 2017-08-12
Posts: 8

Re: Security updates for devuan jessie

The 'synaptic > origin' also is good for checking installed & available versions for group of packages. But it is
valid for 'sources lists' at that point of time. Any change & update would alter the information again. It is
not possible to know the source of installed pkg's. Change suite name to stretch-backport,update & check, don't
upgrade. Then revert back to original.Others suites are used for testing & on purpose as done by @fsmithred.

@fsmithred chromium-60.0.3112.78-1 was in buster,sid,ceres & @ogis1975 chromium-60.0.3112.78-1~deb9u1 from
stretch security which is higher version & has security patch. Now ascii-proposed-updates has that security
update (ascii-security?). To get latest version we have to activate all suites for regular update && upgrade.

Offline

#32 2017-09-07 13:03:32

fsmithred
Administrator
Registered: 2016-11-25
Posts: 378

Re: Security updates for devuan jessie

From what I can see, ascii-security is empty. There's also an ascii-updates that's empty. In the case of chromium, the version with the security patch went to ascii-proposed-updates, so I would assume that anything in stretch security goes to ascii-proposed-updates. (not including anything that requires systemd)

On the other hand, jessie-security and jessie-updates and jessie-proposed-updates all have packages. I don't know the logic of what packages go where. I do hope to get some clarification on this, and that will probably happen around the time that amprolla3 is deployed.

gnath, it's not clear what you're saying about which version is higher and patched. The version in buster, sid and ceres does have the patch. I think the "~deb9u1" just means that the package was backported to debian9 (stretch).

Offline

#33 2017-09-08 11:59:04

gnath
Member
From: city of joy
Registered: 2017-08-12
Posts: 8

Re: Security updates for devuan jessie

You hit on the neil. I restrained myself from asking those Q's. fsmithred, in my understanding some glich was
in amprola for ascii. Ideally ascii , -security & -updates have forked all pkg's, other than devuanised one,
from corresponding debian stretch repo's. Thease are empty due to some problem. So there was no
update && upgrade since last few weeks. Jessie( I don't have now) & ceres has no problem.
In no way pkg's from stretch security automatically should flow to -proposed-updates. The same were followed
for jessie from day one. Testing amprola & others will make repo's in order soon.

I can follow main three repo's for regular update && upgrade like old days.Packages from -backport have
ver. no. as 'bpo' & can be used with some salt. Have no idea about 'proposed'. I can assume that pkg's flow
from experimental to ceres to ascii after 10/20 days without major bug. Hope you will put some light on this.

"~deb9u1" is upgrade one of stretch pushed through stretch security (decleared on their site).That is why it is
upgradable. Other suits have not received updates, but only stable. Securiry patch will be provided only
on next upgrade of chromium for buster & sid (ceres).
You know that if chromium will be devuanised then 'devuan1' will be added next & ready for automatic update.
Any correction will be helpfull for devuan users.

Last edited by gnath (2017-09-08 12:03:38)

Offline

Board footer