Web lists-archives.com

Re: Proper sources list from Jessie > Stretch

Sorry for the top-post but I think it is appropriate

all good advice below but returning on the initial question without advice,
sid/unstable does not have a security.debian.repository
so just the two deb.debian are enough.

For someone with an urge to try the latest and finest you can go to sid
now and then revert to testing and brace for the tsunami.

But read this example as a sample:
Arch Linux Security Advisory ASA-201705-22
Severity: High
Date : 2017-05-30
CVE-ID : CVE-2017-7494
Package : samba
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-279
The package samba before version 4.5.10-1 is vulnerable to arbitrary
code execution.
The version of Jessie is still 4.2....  stretch and sid are on 4.5.8.... in arch based distros 4.5.10 is what they call stable!!  This does not mean that 4.2 may not already be patched due to this security issue on jessie.
This is one package as an example.

-------- Original Message --------
Subject: Re: Proper sources list from Jessie > Stretch
Local Time: June 1, 2017 2:28 PM
UTC Time: June 1, 2017 11:28 AM
From: dsr@xxxxxxxxxxxxxxxx
To: Dejan Jocic <jodejka@xxxxxxxxx>

On Thu, Jun 01, 2017 at 09:19:29AM +0200, Dejan Jocic wrote:
> On 01-06-17, Fjfj109 wrote:
> > Hi - wondering if with a standard sources list in Jessie (or any stable):

> It is usually enough to change it to stretch, if you follow it up with
> all those update and upgrade commands. And read release documentation.
> But it is not good to go from stable directly to unstable. If you want
> to go to unstable, you first go to testing. Then, when you are sure that
> everything went fine, you switch to unstable. And, you make backup of
> your important data. Just in case.

This is odd advice. (Not the bit about backups. Backups are
always important.)

Stretch will become the new stable in a few weeks. Changing
to "stretch" will make that transition early, but changing to
"unstable" will make that transition and then, after stretch
becomes stable, will incur a lot of package churn and breakage.

If this discussion happened a year ago, the question would be
whether you really wanted to go to testing or to unstable. They
have different purposes.