The officially official Devuan Forum!

You are not logged in.

#1 2019-06-14 16:33:58

Nili
Member
From: $HOME/♫♪
Registered: 2016-12-01
Posts: 230  
Website

[SOLVED] DSA-4462-1 dbus -- security update

Hello! I just noted an update for dbus package that has been kept back from upgrading.

[sudo] password for nili: 
Get:1 http://auto.mirror.devuan.org jessie InRelease [21.8 kB]
Get:2 http://auto.mirror.devuan.org jessie-security InRelease [21.2 kB]
Get:3 http://auto.mirror.devuan.org jessie-updates InRelease [21.8 kB]     
Get:4 http://auto.mirror.devuan.org jessie/main i386 Packages [6,877 kB]
Get:5 http://auto.mirror.devuan.org jessie-security/main i386 Packages [643 kB]                                                                                                                                     
Get:6 http://auto.mirror.devuan.org jessie-updates/main i386 Packages [732 B]                                                                                                                                       
Ign http://auto.mirror.devuan.org jessie/main Translation-en_US                                                                                                                                                     
Ign http://auto.mirror.devuan.org jessie/main Translation-en                                                                                                                                                        
Ign http://auto.mirror.devuan.org jessie-security/main Translation-en_US                                                                                                                                            
Ign http://auto.mirror.devuan.org jessie-security/main Translation-en                                                                                                                                               
Ign http://auto.mirror.devuan.org jessie-updates/main Translation-en_US                                                                                                                                             
Ign http://auto.mirror.devuan.org jessie-updates/main Translation-en                                                                                                                                                
Fetched 7,585 kB in 19s (391 kB/s)                                                                                                                                                                                  
Reading package lists... Done
#! nili ~ $ upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  dbus
The following packages will be upgraded:
  libdbus-1-3
1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 182 kB of archives.
After this operation, 37.9 kB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

To see what's going on, i stimulated "-s dist-upgrade"  I saw that "libsystemd0" was trying to say hello to me.

#! nili ~ $ sudo apt-get -s dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  libsystemd0
The following packages will be upgraded:
  dbus libdbus-1-3
2 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst libdbus-1-3 [1.8.20-1+devuan1.1] (1.8.22-0+deb8u2 Devuan-Security:1.0/oldstable-security [i386])
Inst libsystemd0 (215-17+deb8u13 Devuan-Security:1.0/oldstable-security [i386])
Inst dbus [1.8.20-1+devuan1.1] (1.8.22-0+deb8u2 Devuan-Security:1.0/oldstable-security [i386])
Conf libdbus-1-3 (1.8.22-0+deb8u2 Devuan-Security:1.0/oldstable-security [i386])
Conf libsystemd0 (215-17+deb8u13 Devuan-Security:1.0/oldstable-security [i386])
Conf dbus (1.8.22-0+deb8u2 Devuan-Security:1.0/oldstable-security [i386])
#! nili ~ $

Not far from yesterday, Debian released an security-update regarding dbus. I have stopped upgrading, for any confirmation from someone who has more clue.

I haven't installed libsystemd0 since my first NETINST of this system back in DATE:    2017-02-09 08:03

Other weird, perhaps mish mash I noticed there are two different candidate version for libsystemd0 on Jessie stable.

#! nili ~ $ apt-cache policy libsystemd0
libsystemd0:
  Installed: (none)
  Candidate: 215-17+deb8u13
  Version table:
     215-17+deb8u13 0
        500 http://auto.mirror.devuan.org/merged/ jessie-security/main i386 Packages
     215-17+deb8u7 0
        500 http://auto.mirror.devuan.org/merged/ jessie/main i386 Packages
#! nili ~ $ 

Err, i don't like dbus at all.
APT source list i 'm using...

deb http://auto.mirror.devuan.org/merged/ jessie main
deb http://auto.mirror.devuan.org/merged/ jessie-security main
deb http://auto.mirror.devuan.org/merged/ jessie-updates main

Perhaps i must change/hide anything on "auto.mirror.devuan" source list?

I am still on Devuan 1 Jessie (stable)
Kind Regards!

Last edited by Nili (2019-06-17 19:09:39)


Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!

Offline

#2 2019-06-14 19:17:29

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,479  

Re: [SOLVED] DSA-4462-1 dbus -- security update

It's normal to have different versions in the main suite and the security suite when the security updates are first introduced. Right now, the updated dbus package needs to be devuanized. (note the distribution names in the versions.)

For now, if you use aptitude full-upgrade, the second option is reasonable:

Accept this solution? [Y/n/q/?] n
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1)     dbus [1.8.20-1+devuan1.1 (now, oldstable)]

Accept this solution? [Y/n/q/?] 

If you want to run without dbus, it's possible. You would probably need to reinstall all the packages it pulls out with it. Most of them will reinstall without any problems. See this (if you haven't already): https://dev1galaxy.org/viewtopic.php?id=2158

Offline

#3 2019-06-14 20:03:49

Nili
Member
From: $HOME/♫♪
Registered: 2016-12-01
Posts: 230  
Website

Re: [SOLVED] DSA-4462-1 dbus -- security update

Hi fsmithred, thanks for your input regarding different candidate versions of a package + other opinions/suggestions.

I'm glad if Dbus will be devuanized. I don't like to have libsystemd0 installed.

I mentioned it above my version, however it is
DISTRIBUTION:    Devuan GNU/Linux 1 (jessie) i686
Dbus is:

dbus:
  Installed: 1.8.20-1+devuan1.1
  Candidate: 1.8.22-0+deb8u2
  Version table:
     1.8.22-0+deb8u2 0
        500 http://auto.mirror.devuan.org/merged/ jessie-security/main i386 Packages
 *** 1.8.20-1+devuan1.1 0
        500 http://auto.mirror.devuan.org/merged/ jessie/main i386 Packages
        100 /var/lib/dpkg/status

I don't have aptitude, i only use apt, yes i know Devuan 1 come with aptitude, but i have removed once I was doing spring cleaning.
APT is enough for me.

Thanks for the link about no dbus usage, it's good to have a chance to use system without it, I'd like to try, but not on my current hardware/OS because it's too old to mess.

Edit: fixed grammar, also add dbus apt-cache policy.

Last edited by Nili (2019-06-14 20:07:33)


Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!

Offline

#4 2019-06-14 21:33:32

golinux
Administrator
Registered: 2016-11-25
Posts: 3,305  

Re: [SOLVED] DSA-4462-1 dbus -- security update

Nili wrote:

I'm glad if Dbus will be devuanized. I don't like to have libsystemd0 installed.

libsystemd0 is no longer present in beowulf thanks to changes in libelogind.

Online

#5 2019-06-14 21:46:06

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [SOLVED] DSA-4462-1 dbus -- security update

It might be worth submitting a bug report to Debian against the buster dbus package complaining that it depends solely on libsystemd0 when it should have libelogind0 as an alternative dependency.

Or tell the init-diversity mailing list and see what they say about it:

http://www.chiark.greenend.org.uk/mailm … -diversity

FWIW I had beowulf running dbus-free under OpenRC, it was lovely smile

Last edited by Head_on_a_Stick (2019-06-14 21:46:50)


Brianna Ghey — Rest In Power

Offline

#6 2019-06-14 21:53:22

golinux
Administrator
Registered: 2016-11-25
Posts: 3,305  

Re: [SOLVED] DSA-4462-1 dbus -- security update

Already done.  Some early technical discussion HERE.

Online

#7 2019-06-15 07:27:21

Nili
Member
From: $HOME/♫♪
Registered: 2016-12-01
Posts: 230  
Website

Re: [SOLVED] DSA-4462-1 dbus -- security update

golinux wrote:

libsystemd0 is no longer present in beowulf thanks to changes in libelogind.

Ok that's a good news for beowulf, but if they were to remove dependencies of libsystemd0 to dbus, (jessie) would take some breath.
I'm not ready for beowulf at the moment.


Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!

Offline

#8 2019-06-17 19:09:23

Nili
Member
From: $HOME/♫♪
Registered: 2016-12-01
Posts: 230  
Website

Re: [SOLVED] DSA-4462-1 dbus -- security update

EDIT: I made a strike at SpaceFM netinstall from ignorantguru.github
I successfully made out to the latest version without dbus also minus few features (--disable-desktop-integration --disable-video-thumbnails --disable-startup-notification) during compiling spacefm.

This is Double Solved! Thread for me.

No more "libsystemd0" inside, except a few "systemd" folders on system installed from early ISO setup.
We've been told to leave them alone, but i wish those folders doesn't exist..

I also cleaned my $USER from sudo and purged sudo in favor of "su". Re done all sudo aliases to su aswell.

This old desktop is a bit cleaned tho, just ready to be closed in a garage or museum to use a better ones that i just bought it.

Other edit: I sorted the info needed.

Thank you.

Nili

Last edited by Nili (2019-06-21 15:02:51)


Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!

Offline

Board footer