On Tuesday, November 18th, 2025 at 11:43, Didier Kryn <kryn@???> wrote:

> Le 18/11/2025 à 12:30, g4sra via Dng a écrit :
>

> > > Can you provide an example where a remote dist-upgrade is mandatory?
> >

> > It can be a contractual agreement or legal obligation to patch all CVE's within a prescribed time limit.
> > I have ripped my hair out on more than one occasion trying to arrange remote access to comply with the above.
>

> So you're committed to upgrade. Neither dist-upgrade nor usr-merge

If only it were that simple, it often boils down to the source the packages were compiled from, and how they were compiled (e.g. switches) as to whether they are deemed vulnerable. Software version inventory was a real pita on Ubuntu because they didn't change the version reported by the software. On some systems reported versions was not adequate and binary checksumming was the order of the day. 

How systems are being used also comes into play. A system in a vault subject to a USB keylogger CVE may be deemed as complying with contractual obligations on the grounds that unauthorised access is impossible. 

>