On Fri, Feb 28, 2025 at 10:57:31AM +0000, Colin Watson wrote: > Ian Fleming wrote: "Once is happenstance. Twice is coincidence. The third > time it's enemy action." I've only got as far as coincidence so far, but > it's still enough to make me wonder. > > The following bugs on openssh both report problems with applying a recent > security update on bookworm, because it depends on a libssl3 version that > was added to bookworm in a point release: > > https://bugs.debian.org/1098272 > https://bugs.debian.org/1099091 > > This is clearly (to my mind) a misconfiguration, so I've rejected them as > bugs on openssh: we don't support installing only security updates and never > upgrading to packages from new point releases, because those aren't > rigorously separate streams: security updates are built against the stable > suite and so may pick up versioned dependencies against it. But seeing two > users who seem to have their systems configured this way makes me wonder > what's going on. Does anyone know of documentation somewhere that > recommends configuring stable systems this way?
As a datapoint, I have not seen documentation that recommends doing this, but I have on occasion removed the main archive from my sources.list leaving only security updates. I have done this post point release when I do not yet have a window scheduled for a reboot post point release update, but do want to get security fixes. It did not occur to me that such a thing could be considered a misconfiguration, I've always assumed that libraries wouldn't change enough in stable that this sort of thing would occur. J. -- 101 things you can't have too much of : 36 - Spare video tapes.
