[debian-mysql] Bug#914172: Inquiry re "policy" of new dependencies (not hosted in sec repo) added when issuing security updates

Jeremy Davis jeremy at turnkeylinux.org
Wed Dec 5 03:15:04 GMT 2018


Hi,

FYI TurnKey Linux is a Debian derivative which builds a library of
headless server "software appliances" using mostly Debian packages, but
many with upstream software pre-installed on top.

I'm hoping to get some clarity on the "status" of the practice of adding
new dependencies (not included in the security repo) when providing
security related updated packages.

For context, my question relates to a recent incident where ~70% of our
library automatically uninstalled MariaDB when the recent security
update[1] was released. If you want more detail, please see #914172[2].

[1] https://www.debian.org/security/2018/dsa-4341
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172

The crux of it is that we have a daily automated update task which
installs packages exclusively from the security repo. The MariaDB
security update included a new dependency on 'libconfig-inifiles-perl'
(hosted in main, not security).

As our config does not install packages from any repo other than
security, this caused MariaDB to be uninstalled (uninstallable
dependency causing apt to remove the package(s)).

I.e. our current config assumes that any new dependencies for security
updates, would also be included in the security repo.

If it is confirmed that this is expected (albeit uncommon) behaviour, we
need to adjust our current auto-update config as it is not safe!

If instead, this was a mistake (human error) then we'd like to see how
we might be able to support the Security team to avoid this happening
again in the future. I have no idea what form this might take, but am
open to suggestions.

Regards,
Jeremy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20181205/25544819/attachment.sig>


More information about the pkg-mysql-maint mailing list