The officially official Devuan Forum!

anonymous

Member

Registered: 2019-03-05

Posts: 7  

Re: [SOLVED] Security update delays

waiting for firefox-esr security update....

https://security-tracker.debian.org/tra … irefox-esr

stretch (security)    60.7.1esr-1~deb9u1

------------

devuan (64bit) in  apt policy firefox-esr  still has

ascii  60.7.0esr-1~deb9u1(candidate)  (edited -> 60.6.1esr-1~deb9u1)

refreshing...

Last edited by anonymous (2019-06-19 10:28:57)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,486  

Re: [SOLVED] Security update delays

Adjusted the subject line again.
Reported the issue again.

Stay tuned...

fsr

Ogis1975

Member

Registered: 2017-04-21

Posts: 307  

Website

Re: [SOLVED] Security update delays

Here's the explanation that was posted on devuan-dev mailing list yesterday. (The script failed if there was a read timeout.)

Thanks for the answer.

---

What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
            ----+- Peter Kropotkin -+----

pcalvert

Member

Registered: 2017-05-15

Posts: 215  

Re: [SOLVED] Security update delays

Update: The problem seems to have been fixed.

$ apt policy firefox-esr
firefox-esr:
  Installed: 60.7.1esr-1~deb9u1
  Candidate: 60.7.1esr-1~deb9u1
  Version table:
 *** 60.7.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main i386 Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Phil

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

anonymous

Member

Registered: 2019-03-05

Posts: 7  

Re: [SOLVED] Security update delays

AGAIN waiting for firefox-esr security update....

https://security-tracker.debian.org/tracker/firefox-esr

stretch (security)    60.8.0esr-1~deb9u1

------------

ascii  devuan (64bit) in  apt policy firefox-esr  still has

NOT UPDATED

pcalvert

Member

Registered: 2017-05-15

Posts: 215  

Re: [SOLVED] Security update delays

My results:

$ apt policy firefox-esr
firefox-esr:
  Installed: 60.7.2esr-1~deb9u1
  Candidate: 60.7.2esr-1~deb9u1
  Version table:
 *** 60.7.2esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main i386 Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Debian Stretch version: 60.8.0esr-1~deb9u1

Phil

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

yeti

Member

From: I'm not here: U R halucinating

Registered: 2017-02-23

Posts: 335  

Re: [SOLVED] Security update delays

I was lazy and now have 2 repositories in my sources list.
If this is a bad idea, please someone enlighten me...

$ apt policy firefox-esr
firefox-esr:
  Installed: (none)
  Candidate: 60.8.0esr-1~deb9u1
  Version table:
     60.8.0esr-1~deb9u1 500
        500 http://auto.mirror.devuan.org/merged ascii-security/main armhf Packages
     60.7.2esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main armhf Packages
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main armhf Packages
        500 http://auto.mirror.devuan.org/merged ascii-updates/main armhf Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main armhf Packages
        500 http://auto.mirror.devuan.org/merged ascii/main armhf Packages

---

*𝚛𝚒𝚋𝚋𝚒𝚝!*

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,486  

Re: [SOLVED] Security update delays

I was lazy and now have 2 repositories in my sources list.
If this is a bad idea, please someone enlighten me...

I see only devuan and ascii in your sources. You're safe. If you started adding non-devuan or non-ascii sources, you could run into problems. Without pinning, apt will take the highest available version, so right now, if you installed/upgraded firefox-esr, you'd get 60.8 from ascii-security on auto.mirror, because that's a higher version than what's in deb.devuan.

But that will change in a few minutes or a couple hours. Repo is updating again. (Thanks, Ralph.)

I'm not marking the thread as Solved this time. Let's wait and see what happens.

Marjorie

Member

From: Teignmouth, UK

Registered: 2019-06-09

Posts: 221  

Re: [SOLVED] Security update delays

Firefox-esr 60.8.0esr-1~deb9u1 hit the gb.deb.devuan.org/merged archive sometime before 2019-07-14  13:12:27 +0100 as that was when my unattended upgrades program downloaded it.

Both the previous Firefox-esr secuirty 60.7.1 and 60.7.2 security updates also downloaded shortly after Debian put them in their stable archive (though they hit Debian experimental and then testing sooner). I see no problem here.

Any idea when we might expect to see Firefox-esr 68 on ascii? I understand there will be another 2 months of security updates still to come on 60 before it becomes unsupported which implies it might be best to have a backpost before Beowulf becomes our new stable.

anonymous

Member

Registered: 2019-03-05

Posts: 7  

Re: [SOLVED] Security update delays

devuan

$ apt policy firefox-esr
firefox-esr:
  Installed: 68.3.0esr-1~deb9u1
  Candidate: 68.3.0esr-1~deb9u1
  Version table:
*** 68.3.0esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main amd64 Packages
        100 /var/lib/dpkg/status
     60.7.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main amd64 Packages
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main amd64 Packages
-------------------------------------

debian:

firefox-esr:
  Installed: 68.4.1esr-1~deb10u1
  Candidate: 68.4.1esr-1~deb10u1
  Version table:
*** 68.4.1esr-1~deb10u1 500
        500 http://deb.debian.org/debian-security stable/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     68.2.0esr-1~deb10u1 500
        500 http://deb.debian.org/debian stable/main amd64 Packages

Last edited by anonymous (2020-01-09 15:46:20)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,486  

Re: [SOLVED] Security update delays

This (below) is a different problem. The security update delays have been fixed. The problem you're seeing here is the reason we recommend using the codenames in sources.list.

ascii is stretch
beowulf is buster

stable is not the same release in debian and devuan right now.  They will be the same again when beowulf is released. Until debian moves to their next release.

devuan

$ apt policy firefox-esr
firefox-esr:
  Installed: 68.3.0esr-1~deb9u1
  Candidate: 68.3.0esr-1~deb9u1
  Version table:
*** 68.3.0esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main amd64 Packages
        100 /var/lib/dpkg/status
     60.7.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main amd64 Packages
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main amd64 Packages
-------------------------------------

debian:

firefox-esr:
  Installed: 68.4.1esr-1~deb10u1
  Candidate: 68.4.1esr-1~deb10u1
  Version table:
*** 68.4.1esr-1~deb10u1 500
        500 http://deb.debian.org/debian-security stable/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     68.2.0esr-1~deb10u1 500
        500 http://deb.debian.org/debian stable/main amd64 Packages

devuan (beowulf)

firefox-esr:
  Installed: 68.3.0esr-1~deb10u1
  Candidate: 68.4.1esr-1~deb10u1
  Version table:
     68.4.1esr-1~deb10u1 500
        500 http://pkgmaster.devuan.org/merged beowulf-security/main amd64 Packages

pcalvert

Member

Registered: 2017-05-15

Posts: 215  

Re: [SOLVED] Security update delays

I found some evidence that this problem is back (or maybe it's a new, but related problem):

DSA-4701-1 intel-microcode -- security update
[Date Reported: 11 Jun 2020]

The update hasn't shown up for me yet, so I did some checking:

$ apt policy intel-microcode
intel-microcode:
  Installed: (none)
  Candidate: 3.20200609.2~deb9u1
  Version table:
     3.20200609.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/non-free i386 Packages
     3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free i386 Packages

When I first looked at that, I was a little confused. And then I remembered that I am using a 64-bit kernel (it's a multi-arch system).

So I checked again:

$ apt policy intel-microcode:amd64
intel-microcode:amd64:
  Installed: 3.20191115.2~deb9u1
  Candidate: 3.20191115.2~deb9u1
  Version table:
 *** 3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free amd64 Packages
        500 http://deb.devuan.org/merged ascii-security/non-free amd64 Packages
        100 /var/lib/dpkg/status

Okay, so that explains (partially) why I am not seeing the update. I then wondered, "Is this a Devuan problem, or is the problem on Debian's end?" To help answer that question, I added the repository for Debian Stretch security updates.

And here's the result that gave me:

$ apt policy intel-microcode:amd64
intel-microcode:amd64:
  Installed: 3.20191115.2~deb9u1
  Candidate: 3.20200609.2~deb9u1
  Version table:
     3.20200609.2~deb9u1 500
        500 http://deb.debian.org/debian-security stretch/updates/non-free amd64 Packages
 *** 3.20191115.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free amd64 Packages
        500 http://deb.devuan.org/merged ascii-security/non-free amd64 Packages
        100 /var/lib/dpkg/status

That tells me that the problem is not on Debian's end.

Phil

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,486  

Re: [SOLVED] Security update delays

Thanks. For some reason, security updates on pkgmaster are going to *-proposed-updates. We're not yet sure why. Until then you can add ascii-proposed-updates or beowulf-proposed-updtates, whichever is appropriate.

e.g.

deb http://deb.devuan.org/merged ascii-proposed-updates main contrib non-free

Marjorie

Member

From: Teignmouth, UK

Registered: 2019-06-09

Posts: 221  

Re: [SOLVED] Security update delays

Maybe working again?

On my mail-server unattended-upgrades (beowulf-security updates only)  downloaded an intel-microcode package at 03:45 BST.

Unattended upgrade result: All upgrades installed 

Packages that were upgraded:
 intel-microcode 

Package installation log:
Log started: 2020-06-14  03:45:13
apt-listchanges: Reading changelogs...
Preparing to unpack .../intel-microcode_3.20200609.2~deb10u1_amd64.deb ...
Unpacking intel-microcode (3.20200609.2~deb10u1) over (3.20191115.2~deb10u1) ...
Setting up intel-microcode (3.20200609.2~deb10u1) ...
update-initramfs: deferring update (trigger activated)
intel-microcode: microcode will be updated at next boot
Processing triggers for initramfs-tools (0.133+deb10u1) ...
update-initramfs: Generating /boot/initrd.img-4.19.0-9-amd64
Log ended: 2020-06-14  03:45:24

Unattended-upgrades log:
Enabled logging to syslog via daemon facility 
Initial blacklist : 
Initial whitelist: 
Starting unattended upgrades script
Allowed origins are: o=Devuan,n=beowulf-security
Packages that will be upgraded: intel-microcode
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
All upgrades installed