Re: [SECURITY] [DSA 4371-1] apt security update
On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >On Thu, Jan 24, 2019 at 12:39:29PM +0100, Emilio Pozuelo Monfort wrote: >> >>Just to clarify: there is no separate -lts suite anymore, so it'd >>just need to pull from security (which still needs changes as you >>mentioned). >> >>Can you give a pointer to the code where this is done? Perhaps we >>can help with the necessary code changes if you would welcome that. > >There are a few places where debian-cd references the mirror, suite, >etc. which is a bit awkward here. Thinking about this, the *easiest* >way to do this would be to use the existing "local" support which can >pull in a local repo of changed .debs and .udebs on top of the base >Debian repo access. Simply setting up a local repo with the apt >packages in wouldn't be too hard here, and would solve the initial >installation problem. However, it might confuse people a little, and >I'll admit it might look ugly too. > >I'll give it a try now... And that worked on the first attempt. Using this approach, I've done jessie builds of the various LTS arches using casulana, the normal CD build machine. Resulting test output at http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/ if you'd like to have a look. I've tested the amd64 netinst with no network connection (to ensure no updates from elsewhere), and it happily installed the right version of apt (1.0.9.8.5) seamlessly. If you're happy with this, let me know and I'll spin a new version ready for release (version 8.11.1, I guess?). -- Steve McIntyre, Cambridge, UK.st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss
Re: [SECURITY] [DSA 4371-1] apt security update
On Thu, Jan 24, 2019 at 12:39:29PM +0100, Emilio Pozuelo Monfort wrote: >Hi Steve, > >On 22/01/2019 14:50, Steve McIntyre wrote: >> On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: >>> However, APT is used during initial installation and we don't have any >>> provision for updating installer images during LTS. So we're either >>> going to have to revisit that or come up with some kind of workaround >>> for installation time. >> >> I can help with new jessie installation images, > >That would be great! > >> but it'll need a bit >> of prep work. debian-cd doesn't pull from security or lts by default. > >Just to clarify: there is no separate -lts suite anymore, so it'd just need to >pull from security (which still needs changes as you mentioned). > >Can you give a pointer to the code where this is done? Perhaps we can help with >the necessary code changes if you would welcome that. There are a few places where debian-cd references the mirror, suite, etc. which is a bit awkward here. Thinking about this, the *easiest* way to do this would be to use the existing "local" support which can pull in a local repo of changed .debs and .udebs on top of the base Debian repo access. Simply setting up a local repo with the apt packages in wouldn't be too hard here, and would solve the initial installation problem. However, it might confuse people a little, and I'll admit it might look ugly too. I'll give it a try now... -- Steve McIntyre, Cambridge, UK.st...@einval.com Is there anybody out there?
Re: qemu - CVE-2018-19665: bt subsystem mishandles negative length variables
On 1/12/19 5:52 PM, Hugo Lefeuvre wrote: the subsystem doesn't seem to be very actively maintained and that the user base is quite small, it is maybe better to mark this no-dsa in stretch and Please don't forget thet Debian has derivates that do not get summed up in popcon.d.o. So the user base might be bigger than assumed. Regards, Adrian.
