Web lists-archives.com

Re: How to safely hold kernel packages ?




On 2018-02-06 at 12:00, Stéphane Rivière wrote:

> Hi all,
> 
> I wanted to avoid kernel updates after the Spectre/Meltdown 'bug',
> also known as KPTI or kaiser CPU flaw. In my specific context, these
> patches are useless or even harmful.

As indicated by Andy Smith, you should probably upgrade anyway and apply
a kernel command-line option to disable this behavior, since there are
other fixes included in the updated kernels.

> Before applying an aptitude update/upgrade to all the servers and VMs
> I'm in charge, I've done a little test on a Debian 9 stable
> workstation, with the kernel linux-image-4.9.0-4-amd64 release
> 4.9.51-1
> 
> So, after an aptitude search ~i~linux- I hold theses meta-packages :
> 
> aptitude hold linux-image-amd64 aptitude hold linux-headers-amd64
> 
> Then I check the applied holds :
> 
> aptitude search ~ahold
> 
> ihA linux-headers-amd64 ih  linux-image-amd64
> 
> then... aptitude update/upgrade
> 
> 
> 
> After that... I discover a kernel change :
> 
> linux-image-4.9.0-4-amd64 release 4.9.65-3 (instead of previously
> 4.9.51-1)

> So it seems I just learn that 'hold' aptitude command is for packet 
> version (i.e 4.9.0-4), not for package security fixes versions
> (4.9.65-3)...
> 
> But is there a way to really *freeze* a packet (block all updates) ?

There is. 'hold' should do it; I think you just held the wrong packages.

As I understand matters, linux-image-amd64 is a metapackage, or
something similar to one. It does not contain any actual kernel; it just
depends on another package, which does contain a kernel.

For example, linux-image-amd64 version 4.9* will depend on a
linux-image-4.9.*-amd64 package, and linux-image-amd64 version 4.14*
will depend on a linux-image-4.14*-amd64 package.

The "below" packages can get new versions even when the "above" package
doesn't; in fact, they very commonly do, since AFAIK most of the time
there's no need for a new linux-image-amd64 version except when
switching from e.g. 4.9.x to 4.14.x.

Once that other package is installed, if it has a new version available,
a mass "upgrade" command will cause that other package to be upgraded to
a new version - even if linux-image-amd64 itself doesn't have a new version.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature