On Sat, Jun 15, 2019 at 07:30:12PM +0200, Andreas Metzler wrote:
> On 2019-06-14 Marc Haber <mh+debian-packa...@zugschlus.de> wrote:
> there are some semi-strict dependencies:
> exim4 requires exim4-base from the same Debian source version and one
> of the daemon packages (unversioned)
> The daemon packages require exim4-base of at least the same upstream
> version.
> exim4-base requires exim4-config and Breaks daemon packages of older
> upstream versions.
>
> So what we currently have is that exim4, -base, and -daemon-* share the
> same upstream version and exim4 and -base are built from the same source
> (not the same binNMU).
Yes, that means that only updating exim4 will not pull the daemon.
> You are suggesting to version the exim4 -> daemon dependency like this
> Depends: exim4-daemon-light (>= ${source:Version}) |
> exim4-daemon-heavy (>= ${source:Version}) |
> exim4-daemon-custom (>= ${source:Version})
Yes.
> I see two possible downsides:
> * Theoretically a dumb dependency-resolver might break upgrades,
> choosing the first alternative instead of checking whether upgrading
> everything fullfills the dependency. I think we can discount this.
> * The -daemon-custom situation. I think the main reason why the
> dependencies are as they are is to not enforce a rebuild of
> exim4-daemon-custom for minor (i.e. Debian-revision) changes. This
> made a lot of sense when the packaging changed a lot, i.e. there were
> many uploads that would have produced the same -daemon-custom.
> Nowadays almost every upload includes a new patch from -fixes so it
> might make sense to change this,
I think that the usage of the -custom stuff is infinitesimally small.
Heck, even I stopped doing this years ago. People doing this will most
probably follow security themselves, and since they're building
themselves anyway, can relax the versioned dependencies.
> PS: FWIW I do not think the original argument (I did "apt get install
> exim4" and am still CVE-xxx vulnerable) is a weak one. Linux packages
> often and for a long time have split upstream sources into multiple
> binaries. Therefore selective upgrades by "apt-get install somebinary
> would often be incomplete. You'll either need to read every DSA en
> detail and manually compare the list of upgraded/fixed packages with
> installed list or or just do "apt-get upgrade".
I do agree that the original issue is mainly a user error (the advisory
says "update your exim4 packages" (plural)). I am wondering whether we
can something to leverage for stupid users.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
