On Sun, Mar 11, 2018 at 06:38:56PM +0100, Felix Natter wrote:
> I had a wrong configuration in sources.list (for about half a year :-():
> deb http://security.debian.org/ stretch/updates main contrib non-free
> deb-src http://security.debian.org/ stretch/updates main contrib non-free
> which I corrected now:
> deb http://security.debian.org/debian-security/ stretch/updates main contrib
> deb-src http://security.debian.org/debian-security/ stretch/updates main
> contrib non-free
I think that either form is fine. I have some cloud systems that use the
first form and I received all the expected security updates.
> But I still do not get the stretch 9.4 security updates, like
> firefox-esr for example .
> However, looking at the package status for firefox-esr , there does
> not seem to be a [security] update (but maybe it's just designated
> differently since stretch?). In any case, that version
> (52.6.0esr-1~deb9u1) is installed.
> Is that because the 9.4 release pulls in all sec updates in the regular
> update channel?
Debian 9.4 constitutes a point release . When a point release is made
the packages in the main archive are updated, usually from those that
have updated to the security suite, but also with additional
non-security updates that have been proposed by package maintainers
and/or release managers.
So, those updates, including firefox-esr, would be expected from the
standard archive sources instead of the security sources. You can tell
if you are updated to Debian 9.4 by looking at the output of any of
$ cat /etc/debian_version
$ lsb_release -a
$ apt-cache policy base-files
Roberto C. Sánchez