[debian-mysql] Bug#914172: Inquiry re "policy" of new dependencies (not hosted in sec repo) added when issuing security updates

Salvatore Bonaccorso carnil at debian.org
Wed Dec 5 06:27:52 GMT 2018


Hi Jeremy,

On Wed, Dec 05, 2018 at 02:15:04PM +1100, Jeremy Davis wrote:
> Hi,
> 
> FYI TurnKey Linux is a Debian derivative which builds a library of
> headless server "software appliances" using mostly Debian packages, but
> many with upstream software pre-installed on top.
> 
> I'm hoping to get some clarity on the "status" of the practice of adding
> new dependencies (not included in the security repo) when providing
> security related updated packages.
> 
> For context, my question relates to a recent incident where ~70% of our
> library automatically uninstalled MariaDB when the recent security
> update[1] was released. If you want more detail, please see #914172[2].
> 
> [1] https://www.debian.org/security/2018/dsa-4341
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914172
> 
> The crux of it is that we have a daily automated update task which
> installs packages exclusively from the security repo. The MariaDB
> security update included a new dependency on 'libconfig-inifiles-perl'
> (hosted in main, not security).
> 
> As our config does not install packages from any repo other than
> security, this caused MariaDB to be uninstalled (uninstallable
> dependency causing apt to remove the package(s)).
> 
> I.e. our current config assumes that any new dependencies for security
> updates, would also be included in the security repo.
> 
> If it is confirmed that this is expected (albeit uncommon) behaviour, we
> need to adjust our current auto-update config as it is not safe!
> 
> If instead, this was a mistake (human error) then we'd like to see how
> we might be able to support the Security team to avoid this happening
> again in the future. I have no idea what form this might take, but am
> open to suggestions.

The addition of the libconfig-inifiles-perl was an intentional change
here, from the changelog entry:

  * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix
    mytop

I would acctually not recommend including only the security mirrors in
sources list. You will miss in such cases important updates as well
scheduled via a point releases.

Does this helps?

Regards,
Salvatore



More information about the pkg-mysql-maint mailing list