:: Re: [DNG] ascii-security Was:Re: Se…
Top Page
Delete this message
Reply to this message
Author: fsmithred
Date:  
To: dng
Subject: Re: [DNG] ascii-security Was:Re: Security updates in Devuan
On 09/07/2017 08:55 AM, Svante Signell wrote:
> On Thu, 2017-09-07 at 21:07 +0900, Olaf Meeuwissen wrote:
>> Hi John,
>>
>> John Franklin writes:
>>
>>> I’ve seen several security alerts from Debian, but no matching
>>> updates in Devuan. For example, the “file" package has
>>> CVE-2017-1000249, released yesterday.
>>>
>>>> For the stable distribution (stretch), this problem has been fixed in
>>>> version 1:5.30-1+deb9u1.
>
>> Uhm, Devuan ascii is testing. I'd think that doesn't get any security
>> upgrades, just like Debian's testing (buster) doesn't get any.
>
> No, Devuan ascii is stretch, i.e. Debian stable.
>
> This upgrade should be available, but isn't:
> Adding to /etc/apt/sources.list,
> deb http://auto.mirror.devuan.org/merged ascii-security  main
> does not make it available:
> apt-cache policy file
> file:
>   Installed: 1:5.30-1
>   Candidate: 1:5.30-1
>   Version table:
>  *** 1:5.30-1 991
>         991 http://auto.mirror.devuan.org/merged ascii/main i386 Packages
>         100 /var/lib/dpkg/status
> _______________________________________________



My sources.list is bigger than yours, and I see the same thing for file,
but I know of two other cases in which the patched version found in
stretch security is in ascii-proposed-updates -

apache2:
  2.4.25-3+deb9u2 0
    10 http://security.debian.org/ stretch/updates/main amd64 Packages
    100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages


chromium:
  60.0.3112.78-1~deb9u1 0
    10 http://security.debian.org/ stretch/updates/main amd64 Packages
    100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages


I think there's nothing in ascii-security and ascii-updates. The Packages
files for both are empty. (I only checked amd64.)

In contrast to that jessie-security, jessie-updates and
jessie-proposed-updates all have packages.

Can someone explain the difference between -security, -updates and
-proposed-updates? What goes where, and why is ascii different from
jessie? Thanks. Questions about security updates come up regularly on d1g.


fsmithred