[debian-mysql] Bug#914172: mariadb-server-10.1: mariadb-server sec-update (10.1.37-0+deb9u1) uninstalls default-mysql-server, mysql-server, mariadb-server-10.1 & mariadb-client-10.1

[Chris Lamb]

Hi Jeremy,

> > You appear to be overly-preoccupied with persuing whether adding
> > dependencies is a "policy" or not but it remains unclear to me what you
> > would do with this information either way.
[…]
> Our current config rests on the assumption that all security updates
> (and their dependencies) will be hosted within the security apt repo.
>
> Judging by this occurrence, this is clearly not always the case. What we
> do next with this info depends on whether this is "how it is" (albeit
> uncommon) or a mistake.

I don't think it does/did. My reasoning was that either:

 a) Packages "may" be added → you need to adjust your config as this
    is something that can happen in practice, or;

 b) Packages "may not" be added as a general rule and this was an
    accident mistake or oversight → you need to adjust your config
    anyway as its clearly something that can happen in the real
    world regardless of learning what the policy is.
    
    (This so-called "policy" could change in the future anyway for
    special problems we have no possible idea today about the
    solutions are. See, for example, new packages introduced as part
    of DSA-1571-1, SPECTURE/meltdown detection, or whatever...)

As it happens "a)" is the reality — and it's naturally always good to
get clarification — but note that in both cases you need to upjust
your unattended-upgrades configuration, hence my use of "academic".


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-