On Mon, Jun 2, 2008 at 2:24 PM, Shachar Shemesh <[EMAIL PROTECTED]> wrote: > Amos Shapira wrote: >> >>> >>> The correct package version is libssl0.9.8-4etch3 . That's where the >>> PRNG code resides. >>> >> >> $ dpkg -l libssl0.9.8 >> Desired=Unknown/Install/Remove/Purge/Hold >> | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed >> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: >> uppercase=bad) >> ||/ Name Version Description >> >> +++-==============-==============-============================================ >> ii libssl0.9.8 0.9.8e-5 SSL shared libraries >> $ apt-cache policy libssl0.9.8 >> libssl0.9.8: >> Installed: 0.9.8e-5 >> Candidate: 0.9.8e-5 >> Version table: >> *** 0.9.8e-5 0 >> 100 /var/lib/dpkg/status
Is this what "local" looks like? (in reference to your comment below) >> 0.9.8c-4etch3 0 >> 990 http://mirror.optus.net.au etch/updates/main Packages >> 990 http://security.debian.org etch/updates/main Packages >> 0.9.8c-4etch1 0 >> 990 http://ftp.au.debian.org etch/main Packages >> >> Is 0.9.8e-5 considered later than 0.9.8-4etch3? >> > > Of course it is. That's why "etch3" was there to begin with. > > According to http://packages.debian.org/etch/i386/libssl0.9.8, etch3 is the > correct version to use. Where did the "-5" version come from? It seems you > have a source in your apt sources that is negligent with its versioning > policy, to the point of breaking the security of your system. If it followed > the Debian policy regarding this, this should never have happened. >> >> "aptitude" lists the currently installed version and the other two >> (-4etch1 and -4ethc3) as available, but it doesn't mark this package >> as "upgradeable". >> > > That's because -5 is considered more recent than -4etch3. That's okay. The > only question is where did the -5 come from to begin with. >> >> I forced aptitude to pick the version you gave, it reported that it'll >> downgrade some LDAP packages, which I accepted. Now the >> changelog.Debian.gz has latest entry dated May 8th, 2008. >> >> > > I would suspect those LDAP packages as the source of the problem. Where did > they come from? >> >> After installation aptitude reported "security updates" to the >> downgraded LDAP packages but otherwise was happy (doesn't mention the >> package version I downgraded from). >> >> I also commented out backports for good measure even though "apt-cache >> policy" didn't mention it. >> > > First, stop working with apt-get. Only work with aptitude. That's what I always do - just because aptitude is smart enough to mark "automatically installed packages" to be removed when no longer required, but also because it indeed gives an impression of being more intelligent than plain apt-get. > > If you now ask to dist-upgrade your system (uppercase U in aptitude), what > does aptitude say its going to do about libssl? After you "downgraded" > openssl, does the -5 version still appear? It didn't do anything (nothing to change). But I also commented out backports just a few hours ago. Here are my current sources: $ egrep -vh ^# /etc/apt/sources.list.d/* deb http://debian.pkgs.cpan.org/debian unstable main deb http://ftp.au.debian.org/debian/ etch main non-free contrib deb-src http://ftp.au.debian.org/debian/ etch main non-free contrib deb-src http://ftp.au.debian.org/debian/ sid main non-free contrib deb http://mirror.optus.net.au/pub/debian-security/ etch/updates main contrib non-free deb http://security.debian.org/ etch/updates main contrib non-free >> >> I'd just like to clarify the dist-upgrade point you made above - I >> didn't have to do it at all, are you sure this is correct? >> >> > > Tzafrir's point is 100% valid if you are using apt-get. Under aptitude it's > a whole different ball game (and aptitude actually makes better decisions > than apt-get, so that's, again, ok). > > Read the apt-get manual and you'll see that apt-get upgrade is, indeed, what > Tzafrir claimed it is. For really large scale upgrades (such as between Strange, I never noticed this. Back when I used "raw" apt-get it always pulled the right versions whenever I updated. > distribution versions), it is actually not recommended to use apt-get > dist-upgrade. For that, either "apt-get dselect-upgrade" is recommended, or > use dselect (ouch) or aptitude in order to do the actual upgrade. Aptitude > is recommended by me, as it shows you what will break prior to taking any > action. These are news to me, but then I'm slowly drifting away from Debian as a desktop towards Ubuntu, and it's been a while since I had time to break systems and get to play with the pieces (bloody kids...:) Thanks, --Amos ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
