How safely to stop using backports repo?

Good day.

I have packages installed from backports repo. Now I want to remove the
repo from my source list and therefore use not any more packages from
there. My question is on security stuff, as AFAIK I can get into a
troublesome situation - in case of simply stopping using updates from
the repo - that in those packages bugs can be found but I will not get
updates for them - because: backports repo is no more available, and
the updates/security repos have updates but not for so high version as
the ones I have.

So, what is the secure and the easiest way of turning from using the
repo?

Thank You for Your time.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, 2009-05-27 at 00:36 +0700, Sthu Deus wrote:
Hi

You might want to downgrade your software to match the version of the
main repo, but it could do some nasty things with your configuration
files.

Otherwise, you can `apt-get remove` them (plus --purge if you want to
reset your configuration files) and re-install them : that way you'll
use the main-repo version and you won't want have security problems
anymore.

Anyway, leaving your software in their current state doesn't seem very
secure.

--
MARGUERIE Jérémie _____
Student (Sup) at /EPITA\
Webmaster of www.web-modules.net


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Good day, MARGUERIE.

Thank You for Your reply:
>Otherwise, you can `apt-get remove` them (plus --purge if you want to
>reset your configuration files) and re-install them : that way you'll
>use the main-repo version and you won't want have security problems
>anymore.

That decision I feared...

Is there a automatic way that can give me a list of the packages came
from backports repo?


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi Stu,

When I was downgrading from mixed stable/testing to stable, I created
daudit. It is a perl script that compares a computer's installed debian
packages with any of the three debian releases. daudit downloads the
packagelist from packages.debian.org and compares it with dpkg on the
local machine. daudit does not write to disk, and you don't need root
access to use it. It might be useful for you:

   http://simple.be/software/daudit/

Let me know if it works for you!

--Brett



On Thu, 28 May 2009, sthu.deus@... wrote:


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

sthu.deus@... wrote:

> Is there a automatic way that can give me a list of the packages came
> from backports repo?
Install grep-dctrl and do
$ grep-status -F Version ~bpo -a -F Status installed -s Package
It will print the list of installed packages which have "~bpo" in their
names -- a common substring usually found in packages from backports.org.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

#!/bin/sh

for pkg in `dpkg -l | awk '{print $2}'|sort` ; do

if apt-cache policy $pkg | grep "www.backports.org" > /dev/null ; then
                echo $pkg  "  appears to be from www.backports.org"
fi

done


-Jeff

On 2009-05-28, JeffD <jeff.dickison@...> wrote:
I don't think that can work, unless you make it something like:

  apt-cache policy $pkg | grep -A 1 -E '^ \*\*\*' | grep "www.backports.org"

to make sure www.backports.org actually qualifies the *installed*
version ?

Cheers,

--Seb


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, May 28, 2009 at 01:20:25AM +0700, sthu.deus@... wrote:
> Thank You for Your reply:

>> Otherwise, you can `apt-get remove` them (plus --purge if you want
>> to reset your configuration files) and re-install them : that way
>> you'll use the main-repo version and you won't want have security
>> problems anymore.

> That decision I feared...

> Is there a automatic way that can give me a list of the packages came
> from backports repo?

Give stable a priority > 1000 in /etc/apt/preferences and do an
upgrade in apt-get or aptitude or ... It will downgrade all packages
that have a version newer than in stable. Not completely guaranteed to
work (downgrades are not officially supported), but often works OK.

--
Lionel


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Good day, Konstantin.

Thank You for Your reply:
>It will print the list of installed packages which have "~bpo" in their
>names -- a common substring usually found in packages from
>backports.org.

You say "usually"... Then, I can miss a package and that one will
remain a breach in my system... No other tracking ideas?


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

sthu.deus@... wrote:
>
> Is there a automatic way that can give me a list of the packages came
> from backports repo?
>
If backports is still in the sources.list:

aptitude -F %p search ~S~i~Alenny-backports or
aptitude -F %p search ~S~i~OBackports.org or...

Ooops, after comparing both results I realized that I still have the
old debian-backports-keyring from etch-backports installed ;)
So I refined my preferences to

Package: *
Pin: origin www.backports.org
Pin-Priority: 777

which upgrades already installed packages but doesn't install all packages
from backports when doing an aptitude safe-upgrade (I'm using such an odd
Pin-Priority to distinguish my own preferences clearly in apt-cache policy).

btw: The reference for the search patterns is included in the package
aptitude-doc-en (and a few other language codes).

Bye,
Manne


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hello,

i use aptitude, i would do it this way:

 - call aptitude and look up, if you have a section named "Obsolete and
Locally Created Packages". Normaly this section should not be visible as
its empty
 -  remove (better comment out) the backports-line in /etc/apt/sources.list
 - now do an update in aptitude and look, what's new in the section
"Obsolete and Locally Created Packages". For every such package try to
downgrade to a version from your remaining apt-sources.

That way you should have a good control over the changes. If you have
nothing left in the obsolete-section, you are done. If you want to leave
there something, you should check if there is a reasonable reason to do
so, as you have to care for security holes, bugfixes, updates there by
yourself.

my 2c,
Guntram

sthu.deus@... schrieb:
> Good day, Konstantin.
>
> Thank You for Your re
> You say "usually"... Then, I can miss a package and that one will
> remain a breach in my system... No other tracking ideas?
>
>
>  


--
Guntram Trebs
freier Programmierer und Administrator

gt@...
+49 (30) 42 80 61 55
+49 (178) 686 77 55



--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

In <4a201c37.20018e0a.51f2.6c30@...>, sthu.deus@... wrote:
>>It will print the list of installed packages which have "~bpo" in their
>>names -- a common substring usually found in packages from
>>backports.org.
>
>You say "usually"...

Well, I think it is backports policy to always have ~bpo in their version.

See http://www.backports.org:80/dokuwiki/doku.php?id=contribute "Basic Rule"
4.

It both identifies the package and ensures that the version is testing is
considered 'higher'.  1.2-3~bpo < 1.2-3, according to dpkg.
--
Boyd Stephen Smith Jr.           ,= ,-_-. =.
bss@...             ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/            \_/

Guntram Trebs wrote:
That doesn't seem to work on my system. It will only report packages
that exist in backports, but not in stable. If the package has the same
name, but only a different version in stable and backports, that
approach won't work.

Cheers,
Johannes


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

In <4A202553.4030801@...>, Guntram Trebs wrote:
> - call aptitude and look up, if you have a section named "Obsolete and
>Locally Created Packages". Normaly this section should not be visible as
>its empty
> -  remove (better comment out) the backports-line in
> /etc/apt/sources.list - now do an update in aptitude and look, what's new
> in the section "Obsolete and Locally Created Packages". For every such
> package try to downgrade to a version from your remaining apt-sources.

Last I checked, "Obsolete and Locally Created Packages" only contains
packages with NO available versions.  So, this will catch packages that are
not in stable that were backported, but it wouldn't catch packages that are
in stable but have a newer version in backports.
--
Boyd Stephen Smith Jr.           ,= ,-_-. =.
bss@...             ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/            \_/

On Thu, May 28, 2009 at 01:20:25AM +0700, sthu.deus@... wrote:
<plug type="shameless">
you might want to have a look at apt-forktracer
</plug>

--
Marcin Owsiany <porridge@...>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...