Re: Security updates for forked packages? (e.g. xorg-server)

dummy@example.com (pcalvert) — Sun, 24 Dec 2023 05:24:30 +0000

You are correct. This is what my Daedalus-based Refracta system is showing:

$ aptitude show xserver-xorg-core
Package: xserver-xorg-core               
Version: 2:21.1.7-3+deb12u2devuan1
State: installed
Automatically installed: yes
Priority: optional
Section: x11
Maintainer: Devuan Developers 
Architecture: amd64
Uncompressed Size: 3,907 k
Depends: xserver-common (>= 2:21.1.7-3+deb12u2devuan1), keyboard-configuration, udev (>= 149), libegl1, libaudit1 (>= 1:2.2.1),
         libbsd0 (>= 0.7.0), libc6 (>= 2.35), libdrm2 (>= 2.4.66), libepoxy0 (>= 1.5.4), libeudev1 (>= 3.2.12), libgbm1 (>=
         17.1.0~rc2), libgcrypt20 (>= 1.10.0), libgl1, libpciaccess0 (>= 0.12.902), libpixman-1-0 (>= 0.30.0), libseat1 (>= 0.5.0),
         libselinux1 (>= 3.1~), libunwind8, libxau6 (>= 1:1.0.9), libxcvt0 (>= 0.1.0), libxdmcp6, libxfont2 (>= 1:2.0.1),
         libxshmfence1
Recommends: libgl1-mesa-dri (>= 7.10.2-4), xcvt
Suggests: xfonts-100dpi | xfonts-75dpi, xfonts-scalable
Conflicts: xserver-xorg-input-evtouch, xserver-xorg-video-modesetting
Breaks: libgl1-mesa-dri (< 18.0.5), systemd (< 226-4~), xserver-xorg (< 1:7.7+10~)
Replaces: xserver-xorg (< 1:7.7+10~), xserver-xorg-video-modesetting
Provides: xorg-input-abi-24, xorg-video-abi-25, xserver-xorg-video-modesetting
Description: Xorg X server - core server
 The Xorg X server is an X server for several architectures and operating systems, which is derived from the XFree86 4.x series of X
 servers. 
 
 The Xorg server supports most modern graphics hardware from most vendors, and supersedes all XFree86 X servers. 
 
 More information about X.Org can be found at:  
 
 This package is built from the X.org xserver module.
Homepage: https://www.x.org/

I also checked the apt cache for recent debs:

$ ls -l /var/cache/apt/archives |grep xserver-xorg
-rw-r--r-- 1 root root  1365092 Oct 26 09:56 xserver-xorg-core_2%3a21.1.7-3+deb12u2devuan1_amd64.deb
-rw-r--r-- 1 root root   122432 Feb 12  2022 xserver-xorg-input-evdev_1%3a2.10.6-2+b1_amd64.deb
-rw-r--r-- 1 root root    69248 Feb 12  2022 xserver-xorg-input-mouse_1%3a1.9.3-1+b1_amd64.deb
-rw-r--r-- 1 root root   214892 Mar 23  2023 xserver-xorg-input-synaptics_1.9.2-1+b1_amd64.deb

This is the relevant Debian security advisory:
https://www.debian.org/security/2023/dsa-5576-2

According to that web page, the xserver-xorg-core package in Daedalus is two versions behind.

Re: Security updates for forked packages? (e.g. xorg-server)

dummy@example.com (semil) — Sun, 24 Dec 2023 00:01:54 +0000

That shows just xorg-server-source, but the runtime pieces have names like xserver-xorg-*. And the xserver-xorg-core in Daedalus is 2:21.1.7-3+deb12u2devuan1.

Re: Security updates for forked packages? (e.g. xorg-server)

dummy@example.com (golinux) — Sat, 23 Dec 2023 20:48:07 +0000

It looks like xorg-server comes directly from Debian so you shouldn't have to do anything special if you sources.list is in order.

Security updates for forked packages? (e.g. xorg-server)

dummy@example.com (semil) — Sat, 23 Dec 2023 19:31:41 +0000

xorg-server had vulnerabilities fixed in Debian about six days ago. I know Devuan’s is forked because of the libseat situation.

In such a case, is “TODO: merge xorg-server security fixes” added to some list of items somewhere, or…?

Dev1 Galaxy Forum / Security updates for forked packages? (e.g. xorg-server)

Re: Security updates for forked packages? (e.g. xorg-server)

Re: Security updates for forked packages? (e.g. xorg-server)

Re: Security updates for forked packages? (e.g. xorg-server)

Security updates for forked packages? (e.g. xorg-server)