Re: potential damage to Debian "stable" when installing packages from "testing"

[Alex Mestiashvili]

On 12/08/2016 08:53 PM, Rob van der Putten wrote:
> Hi there
> 
> 
> On 08/12/16 16:27, Alex Mestiashvili wrote:
> 
>> 0) backport it yourself. It is not that hard to dget a dsc file from
>> testing and try to build it for the current release. Often works without
>> additional efforts.
> 
> That's what I do. I'm rather blunt about it;
> 1. Does it compile?
> 2. Does it install?
> 3. Does it work?
> 4. Am I still happy about it after a while?
> 
> Recently I ran into some squid and libcap3 problems;
> http://www.sput.nl/software/squid/squid-backport.html
> 
> According to a friend it's OK to replace the maintainer supplied symbols
> file with the generated one. And the libcap3 does indeed compile and
> build a package.
> I'm considering building Squid with it and want to name the new package
> 3.5.22-1~bpo8+2 instead of 3.5.22-1~bpo8+1.
> Is this possible and how do I do this?
> 
> 
> Regards,
> Rob

You just will need to add or rename the current version in
debian/changelog file.

I'll suggest not to use +2 suffix but rather something which will not
overlap with a new official backport version, for example ~local.

It is important to note that the version of your locally build package
is less than the new version from backports, so the new official version
will be installed automatically when released and you will not stuck
forever with the old one.

Just out of curiosity I tried to build squid from testing for jessie,
here is the log: https://paste.debian.net/901373/

Re: Re: potential damage to Debian "stable" when installing packages from "testing"

[Clive Standbridge]

> 0) backport it yourself. It is not that hard to dget a dsc file from
> testing and try to build it for the current release. Often works without
> additional efforts.

The great debian-reference has a guide to doing that:
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_porting_a_package_to_the_stable_system

Re: potential damage to Debian "stable" when installing packages from "testing"

[Rob van der Putten]

Hi there


On 08/12/16 16:27, Alex Mestiashvili wrote:


0) backport it yourself. It is not that hard to dget a dsc file from
testing and try to build it for the current release. Often works without
additional efforts.


That's what I do. I'm rather blunt about it;
1. Does it compile?
2. Does it install?
3. Does it work?
4. Am I still happy about it after a while?

Recently I ran into some squid and libcap3 problems;
http://www.sput.nl/software/squid/squid-backport.html

According to a friend it's OK to replace the maintainer supplied symbols 
file with the generated one. And the libcap3 does indeed compile and 
build a package.
I'm considering building Squid with it and want to name the new package 
3.5.22-1~bpo8+2 instead of 3.5.22-1~bpo8+1.

Is this possible and how do I do this?


Regards,
Rob

Re: potential damage to Debian "stable" when installing packages from "testing"

[Alex Mestiashvili]

On 12/08/2016 02:14 PM, Greg Wooledge wrote:
> On Thu, Dec 08, 2016 at 01:58:18PM +0200, Martin T wrote:
>> let's say that I need a package named "weechat"(version 1.6-1) from
>> Debian "testing":
> 
> Let's not say that.
> 
> Let's instead say "I am running jessie, but jessie's version of weechat
> (1.0.1-1) is missing some features I need.  What should I do?"
> 
> The next step then is to look at jessie-backports.  There is a newer
> version of weechat (1.5-1~bpo8+1) in jessie-backports.  So try that
> one.
> 
> If that one STILL isn't new enough for you, then you have two choices:
> 
> 1) Install weechat yourself from upstream source code.
> 2) Upgrade your entire system to stretch (testing).
> 

0) backport it yourself. It is not that hard to dget a dsc file from
testing and try to build it for the current release. Often works without
additional efforts.

Re: potential damage to Debian "stable" when installing packages from "testing"

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Dec 08, 2016 at 08:14:08AM -0500, Greg Wooledge wrote:

[...]

> > # apt-get install -t testing weechat

[...]

> BAD! BAD! BAD!

Somewhat disagree: not really bad, but definitely dangerous.
Whoever does this should look out for some breakage and
"interesting times" (FWIW I'm running a Frankendebian right
now, with a mix of stable and *unstable*. It's usable, but
I gotta watch out for several things. Among other, aptitude
totally freaks out when told to install anything :)

> > I guess one should not worry about new packages?
> 
> You should ABSOLUTELY worry about the UPGRADED pacakges!  Especially
> when one of them is libc6.  That will affect basically EVERY program
> on your entire system.

Yeah, libc is definitely a tough one (FWIW again, my libc6 does
come from unstable: but I must admit I had to *gulp* before taking
that plunge. It turned out much easier than I expected, but that
will totally depend on the set of packages installed)

> You should NOT do this!

My point of view: you should totally do this, but only if you
*know* what you're getting into and if you know you'll enjoy
the ride. Some experience on how Debian works, some raw will
to tinker and being prepared to jump into the lifeboat (you
got good backups, have you?) are essential.

> Mixing testing and stable sources produces what we call a frankendebian.
> It is an unsupportable mess.  It is not a question of whether it will
> break, but rather HOW SOON it will break.

That's how my work environment has looked for the last ~10 years.
Rock solid. But you better be prepared for some tinkering, and
have your lifeboats ready (something you've got to have anyway,
because... your hardware might as well explode under you).

Apart from that I agree 100% with Greg. And if you don't want to
delve in your distro's innards: keep to stable (or at most, to
late testing, but that's already dipping your toe in the water,
that's how it started out with me and see where I am now ;-)

> This is why we have jessie-backports.

Agreed. An awesome service.

regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlhJZtYACgkQBcgs9XrR2kZpowCfZJI3XncBUm4apCvCLFLGHEjn
KqYAnR5Dj4hO7vAxoVZtAvlpoBAN9Ma2
=vqfb
-END PGP SIGNATURE-

Re: potential damage to Debian "stable" when installing packages from "testing"

[Liam O'Toole]

On 2016-12-08, Martin T  wrote:
> Hi,
>
> let's say that I need a package named "weechat"(version 1.6-1) from
> Debian "testing":
>
> # apt-get install -t testing weechat
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following extra packages will be installed:
>   binutils libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libgcrypt20
> libgnutls30 libhogweed4 libncurses5 libn
>   weechat-curses
> Suggested packages:
>   binutils-doc glibc-doc rng-tools gnutls-bin weechat-doc
> Recommended packages:
>   manpages-dev weechat-plugins
> The following NEW packages will be installed:
>   libc-l10n libgnutls30 libhogweed4 libnettle6
> The following packages will be upgraded:
>   binutils libc-bin libc-dev-bin libc6 libc6-dev libgcrypt20
> libncurses5 libncursesw5 libp11-kit0 libtasn1-6 li
> 16 upgraded, 4 newly installed, 0 to remove and 511 not upgraded.
> Need to get 18.7 MB of archives.
> After this operation, 8,111 kB of additional disk space will be used.
> Do you want to continue? [Y/n] n
> Abort.
> #
>
> I guess one should not worry about new packages? However, as seen
> above, such operation would upgrade some packages which are
> dependencies for many other packages. For example libc6, libgcrypt20
> or libncurses5. What are the consequences with that? I would guess it
> shouldn't cause problems because (usually) dependencies require
> version x OR higher. For example libc6 (>= 2.14) or libgcrypt20 (>=
> 1.6.1).
>
>
>
> thanks,
> Martin
>
>

"Debian Stable should not be combined with other releases. If you're
trying to install software that isn't available in the current Debian
Stable release, it's not a good idea to add repositories for other
Debian releases. The problems might not happen right away, but the next
time you install updates." [1]

Fortunately, a later version of weechat is available from
debian-backports.[2] That would be a much safer choice.

1: https://wiki.debian.org/DontBreakDebian
2: https://backports.debian.org/

-- 

Liam

Re: potential damage to Debian "stable" when installing packages from "testing"

[Greg Wooledge]

On Thu, Dec 08, 2016 at 01:58:18PM +0200, Martin T wrote:
> let's say that I need a package named "weechat"(version 1.6-1) from
> Debian "testing":

Let's not say that.

Let's instead say "I am running jessie, but jessie's version of weechat
(1.0.1-1) is missing some features I need.  What should I do?"

The next step then is to look at jessie-backports.  There is a newer
version of weechat (1.5-1~bpo8+1) in jessie-backports.  So try that
one.

If that one STILL isn't new enough for you, then you have two choices:

1) Install weechat yourself from upstream source code.
2) Upgrade your entire system to stretch (testing).


> # apt-get install -t testing weechat
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following extra packages will be installed:
>   binutils libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libgcrypt20
> libgnutls30 libhogweed4 libncurses5 libn
>   weechat-curses
> Suggested packages:
>   binutils-doc glibc-doc rng-tools gnutls-bin weechat-doc
> Recommended packages:
>   manpages-dev weechat-plugins
> The following NEW packages will be installed:
>   libc-l10n libgnutls30 libhogweed4 libnettle6
> The following packages will be upgraded:
>   binutils libc-bin libc-dev-bin libc6 libc6-dev libgcrypt20

BAD! BAD! BAD!

> I guess one should not worry about new packages?

You should ABSOLUTELY worry about the UPGRADED pacakges!  Especially
when one of them is libc6.  That will affect basically EVERY program
on your entire system.

You should NOT do this!

Mixing testing and stable sources produces what we call a frankendebian.
It is an unsupportable mess.  It is not a question of whether it will
break, but rather HOW SOON it will break.

This is why we have jessie-backports.