Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread John Franklin 

> On Sep 7, 2017, at 1:54 PM, KatolaZ  wrote:
> 
> These things will clear out when amprolla3 comes up. We are almost
> there.  The current amprolla is not merging sone suites on ascii,
> including ascii-updates and ascii-proposed-updates.

I’m looking forward to a big update when it finally does.  I hope amprolla3 is 
getting the priority attention it deserves.

jf
-- 
John Franklin
frank...@tux.org



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread KatolaZ 
On Thu, Sep 07, 2017 at 10:22:57AM -0400, fsmithred wrote:

[cut]

> 
> I think there's nothing in ascii-security and ascii-updates. The Packages
> files for both are empty. (I only checked amd64.)
> 
> In contrast to that jessie-security, jessie-updates and
> jessie-proposed-updates all have packages.
> 
> Can someone explain the difference between -security, -updates and
> -proposed-updates? What goes where, and why is ascii different from
> jessie? Thanks. Questions about security updates come up regularly on d1g.
> 

These things will clear out when amprolla3 comes up. We are almost
there.  The current amprolla is not merging sone suites on ascii,
including ascii-updates and ascii-proposed-updates.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 10:22 -0400, fsmithred wrote:
> On 09/07/2017 08:55 AM, Svante Signell wrote:
> > 
> 
> I think there's nothing in ascii-security and ascii-updates. The Packages
> files for both are empty. (I only checked amd64.)
> 
> In contrast to that jessie-security, jessie-updates and
> jessie-proposed-updates all have packages.
> 
> Can someone explain the difference between -security, -updates and
> -proposed-updates? What goes where, and why is ascii different from
> jessie? Thanks. Questions about security updates come up regularly on d1g.

In my opinion they should be as follows:
ascii-security: Debian stretch security updates, filtered so that if there is an
older Devuan package it cannot be installed.

ascii-updates: Remove, it serves no real purpose, or?

ascii-proposed-updates: Devuan packages, not yet migrated into ascii.
(similar to Debian packages in sid/unstable not yet merged into testing/buster.
They do migrate to testing after normally 5-10 days if no RC bugs, etc blocks
them)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread fsmithred 
On 09/07/2017 08:55 AM, Svante Signell wrote:
> On Thu, 2017-09-07 at 21:07 +0900, Olaf Meeuwissen wrote:
>> Hi John,
>>
>> John Franklin writes:
>>
>>> I’ve seen several security alerts from Debian, but no matching
>>> updates in Devuan.  For example, the “file" package has
>>> CVE-2017-1000249, released yesterday.
>>>
 For the stable distribution (stretch), this problem has been fixed in
 version 1:5.30-1+deb9u1.
> 
>> Uhm, Devuan ascii is testing.  I'd think that doesn't get any security
>> upgrades, just like Debian's testing (buster) doesn't get any.
> 
> No, Devuan ascii is stretch, i.e. Debian stable.
> 
> This upgrade should be available, but isn't:
> Adding to /etc/apt/sources.list,
> deb http://auto.mirror.devuan.org/merged ascii-security  main
> does not make it available:
> apt-cache policy file
> file:
>   Installed: 1:5.30-1
>   Candidate: 1:5.30-1
>   Version table:
>  *** 1:5.30-1 991
> 991 http://auto.mirror.devuan.org/merged ascii/main i386 Packages
> 100 /var/lib/dpkg/status
> ___


My sources.list is bigger than yours, and I see the same thing for file,
but I know of two other cases in which the patched version found in
stretch security is in ascii-proposed-updates -

apache2:
  2.4.25-3+deb9u2 0
10 http://security.debian.org/ stretch/updates/main amd64 Packages
100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages

chromium:
  60.0.3112.78-1~deb9u1 0
10 http://security.debian.org/ stretch/updates/main amd64 Packages
100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages

I think there's nothing in ascii-security and ascii-updates. The Packages
files for both are empty. (I only checked amd64.)

In contrast to that jessie-security, jessie-updates and
jessie-proposed-updates all have packages.

Can someone explain the difference between -security, -updates and
-proposed-updates? What goes where, and why is ascii different from
jessie? Thanks. Questions about security updates come up regularly on d1g.


fsmithred


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 21:07 +0900, Olaf Meeuwissen wrote:
> Hi John,
> 
> John Franklin writes:
> 
> > I’ve seen several security alerts from Debian, but no matching
> > updates in Devuan.  For example, the “file" package has
> > CVE-2017-1000249, released yesterday.
> > 
> > > For the stable distribution (stretch), this problem has been fixed in
> > > version 1:5.30-1+deb9u1.

> Uhm, Devuan ascii is testing.  I'd think that doesn't get any security
> upgrades, just like Debian's testing (buster) doesn't get any.

No, Devuan ascii is stretch, i.e. Debian stable.

This upgrade should be available, but isn't:
Adding to /etc/apt/sources.list,
deb http://auto.mirror.devuan.org/merged ascii-security  main
does not make it available:
apt-cache policy file
file:
  Installed: 1:5.30-1
  Candidate: 1:5.30-1
  Version table:
 *** 1:5.30-1 991
991 http://auto.mirror.devuan.org/merged ascii/main i386 Packages
100 /var/lib/dpkg/status
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng