Thanks for your input Chris, On 4/12/18 09:12, Chris Lamb wrote: > My quick glance at this bug report suggests there is something wrong > with your APT setup and/or unattended-upgrades. I apologise I was not > aware of all this context & history until now...
I can't speak for unattended-upgrades, but AFAIU our apt config is essentially doing what it's designed to do. I.e. only installing updated packages within the security repo - albeit a little too violently! > You appear to be overly-preoccupied with persuing whether adding > dependencies is a "policy" or not but it remains unclear to me what you > would do with this information either way. I have my own thoughts on > whether it is a policy, but that is entirely academic. Sorry if my intention is not clear. From my perspective, the understanding of whether or not this occurrence (i.e. new deps in sec updates, not being within the sec repo) is "legitimate" is not academic. It is the vital piece of info to inform what we do next. Perhaps my message to the security team (cc this bug) helps? In case not: Our current config rests on the assumption that all security updates (and their dependencies) will be hosted within the security apt repo. (FWIW, it appears unattended-updates default config also rests on this assumption). Judging by this occurrence, this is clearly not always the case. What we do next with this info depends on whether this is "how it is" (albeit uncommon) or a mistake. If we are making an unreasonable assumption , then our apt config needs to change as a matter of urgency as it is clearly not safe! Further we'd need to investigate what alternative measures to take. Also, we probably should file a bug against unattended updates. If instead, the assumption is reasonable, but a human error has occurred in this instance, then we would be keen to see how we might support the security team to avoid this happening again. > If you could provide a minimal testcase in Debian stretch for your > issue here, that would be ideal. Alas, downloading and applying some > custom configuration to a Turnkey appliance VM might be a request too > far for someone more-knowledgeable than me who wishing you help you, > I'm afraid. Thanks, but it seems clear (to me at least) that we've worked out the "how" and the "why" we got the result we did. What remains to be understood is whether the issue is with our config making incorrect assumptions, or a mistake/bug with this update. Hope I don't sound like I'm ranting and my position makes more sense now?! :) Regards, Jeremy
signature.asc
Description: OpenPGP digital signature
