Hi Jeremy,
On Wed, Dec 05, 2018 at 02:15:04PM +1100, Jeremy Davis wrote:
> Hi,
>
> FYI TurnKey Linux is a Debian derivative which builds a library of
> headless server "software appliances" using mostly Debian packages, but
> many with upstream software pre-installed on top.
>
> I'm hoping to get some clarity on the "status" of the practice of adding
> new dependencies (not included in the security repo) when providing
> security related updated packages.
>
> For context, my question relates to a recent incident where ~70% of our
> library automatically uninstalled MariaDB when the recent security
> update[1] was released. If you want more detail, please see #914172[2].
>
> [1] https://www.debian.org/security/2018/dsa-4341
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172
>
> The crux of it is that we have a daily automated update task which
> installs packages exclusively from the security repo. The MariaDB
> security update included a new dependency on 'libconfig-inifiles-perl'
> (hosted in main, not security).
>
> As our config does not install packages from any repo other than
> security, this caused MariaDB to be uninstalled (uninstallable
> dependency causing apt to remove the package(s)).
>
> I.e. our current config assumes that any new dependencies for security
> updates, would also be included in the security repo.
>
> If it is confirmed that this is expected (albeit uncommon) behaviour, we
> need to adjust our current auto-update config as it is not safe!
>
> If instead, this was a mistake (human error) then we'd like to see how
> we might be able to support the Security team to avoid this happening
> again in the future. I have no idea what form this might take, but am
> open to suggestions.
The addition of the libconfig-inifiles-perl was an intentional change
here, from the changelog entry:
* Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix
mytop
I would acctually not recommend including only the security mirrors in
sources list. You will miss in such cases important updates as well
scheduled via a point releases.
Does this helps?
Regards,
Salvatore
