Hello,
I often upgrade my Debian-Stretch.
Eeach time, it's mostly packages trinity who are upgraded, it's good, and less Debian packages.
But, is it normal ?
Regards,
André
On Thursday 11 April 2019 21.17:42 andre_debian@numericable.fr wrote:
Hello,
I often upgrade my Debian-Stretch.
Eeach time, it's mostly packages trinity who are upgraded, it's good, and less Debian packages.
But, is it normal ?
Regards,
André
I'd say Stretch is "stable", and soon to become "old-stable", so I guess not much is upgraded.
Anyway I think this "upgrade/update" craze is mostly the result from Microsoft, Apple and Google having to frequently patch their buggy OSes and using this to force users to adopt their latest control options. Now it's become a fashion.
I have here a few installs with fairly old Linux versions and never got a problem - I agree I'm certainly not a prime taget for hackers...
Thierry
Thierry de Coulon wrote:
Anyway I think this "upgrade/update" craze is mostly the result from Microsoft, Apple and Google having to frequently patch their buggy OSes and using this to force users to adopt their latest control options. Now it's become a fashion.
I have here a few installs with fairly old Linux versions and never got a problem - I agree I'm certainly not a prime taget for hackers...
I disagree here, because if you look at what was recently upgraded in Stretch, these are openssh and similar, which are critical and I would not advise anyone with access to the internet to not upgrade frequently.
This is also not "Microsoft, Apple and Google" madness, but a normal software cycle. If you want to have latest bug and security fixes, do upgrade regularly.
Now for TDE, it is so stable, that you may have the impression you do not need it, but still the system should be up to date, to not allow undesired intrusions.
If you are target or not - you do not know. I see in the last couple of months constant brute force attacks on my ssh server, although I do not believe I am a target too. These are not people, these are machines and they do not make exception for you or for me.
regards
On 12/04/2019 09:03, deloptes wrote:
Thierry de Coulon wrote:
Anyway I think this "upgrade/update" craze is mostly the result from Microsoft, Apple and Google having to frequently patch their buggy OSes and using this to force users to adopt their latest control options. Now it's become a fashion.
I have here a few installs with fairly old Linux versions and never got a problem - I agree I'm certainly not a prime taget for hackers...
I disagree here, because if you look at what was recently upgraded in Stretch, these are openssh and similar, which are critical and I would not advise anyone with access to the internet to not upgrade frequently.
.. and I disagree with you. On the basis of your argument, we should not use the internet full stop as any software we use must be suspect as it will be continually upgraded. I'm not saying don't upgrade but to blindly upgrade is as bad as blindly not upgrading. Why should I believe ANY upgrade is more secure than the last? Upgrades are screwed up on a regular basis both by introducing security flaws and bugs and also removing/changing features that one needs. Do we read all the changelogs before doing apt upgrade? No, but we should if we want reliability.
This is also not "Microsoft, Apple and Google" madness, but a normal software cycle. If you want to have latest bug and security fixes, do upgrade regularly.
Read above.
Now for TDE, it is so stable, that you may have the impression you do not need it, but still the system should be up to date, to not allow undesired intrusions.
Upgrade for improvements, no problem, but read above.
If you are target or not - you do not know. I see in the last couple of months constant brute force attacks on my ssh server
and upgrading will stop that? No. A bit of filtering of known spam IPs would help much more.
Security for security's sake is a nightmare. If somebody can utilise a security flaw in my TDE desktop, I've already got big, big problems.
Michael Howard via trinity-users wrote:
I'm not saying don't upgrade but to blindly upgrade is as bad as blindly not upgrading.
Did I say blindly? You could decide to do only security updates if you wish, but to state things that are potentially dangerous is not encouraging.
regards
On 12/04/2019 12:47, deloptes wrote:
Michael Howard via trinity-users wrote:
I'm not saying don't upgrade but to blindly upgrade is as bad as blindly not upgrading.
Did I say blindly?
Did I say YOU said blindly? :) That's just what people do.
Michael Howard via trinity-users wrote:
On 12/04/2019 12:47, deloptes wrote:
Michael Howard via trinity-users wrote:
I'm not saying don't upgrade but to blindly upgrade is as bad as blindly not upgrading.
Did I say blindly?
Did I say YOU said blindly? :) That's just what people do.
and thats how people get in trouble
On Fri April 12 2019 03:44:55 Michael Howard via trinity-users wrote:
On 12/04/2019 09:03, deloptes wrote:
If you are target or not - you do not know. I see in the last couple of months constant brute force attacks on my ssh server
and upgrading will stop that? No. A bit of filtering of known spam IPs would help much more.
Attackers mount attacks from the new systems they pwn - possibly including yours.
It is not feasible to block millions of infected IP addresses with thousands more infected and disinfected every day.
--Mike
Hi Guys,
On Friday 12 April 2019 15:47:09 Mike Bird wrote:
On Fri April 12 2019 03:44:55 Michael Howard via trinity-users
wrote:
On 12/04/2019 09:03, deloptes wrote:
If you are target or not - you do not know. I see in the last couple of months constant brute force attacks on my ssh server
and upgrading will stop that? No. A bit of filtering of known spam IPs would help much more.
Attackers mount attacks from the new systems they pwn - possibly including yours.
It is not feasible to block millions of infected IP addresses with thousands more infected and disinfected every day.
--Mike
More of a problem are the vulnerabilities built into the processor itself. The kernels have some patches included to help negate these but also slows down the system.
On 12/04/2019 15:47, Mike Bird wrote:
On Fri April 12 2019 03:44:55 Michael Howard via trinity-users wrote:
On 12/04/2019 09:03, deloptes wrote:
If you are target or not - you do not know. I see in the last couple of months constant brute force attacks on my ssh server
and upgrading will stop that? No. A bit of filtering of known spam IPs would help much more.
Attackers mount attacks from the new systems they pwn - possibly including yours.
It is not feasible to block millions of infected IP addresses with thousands more infected and disinfected every day.
Of course it's possible to block millions, if you have their IPs. It wouldn't be efficient but then 'millions' are not brute force attacking my, or your, or deloptes system at any one time. If they were, it would be pointless anyway. The point is, if you have a regularly updated list of known spam IPs, which we do, and you use a decent firewall, which I do, you can prevent a huge amount of brute force attacks by just dropping the connection.
The reason why my system _isn't_ infected is because I do just that. I don't rely completely on debian devs to right their own wrongs, nor should I.
On Fri April 12 2019 08:41:10 Michael Howard via trinity-users wrote:
Of course it's possible to block millions, if you have their IPs. It wouldn't be efficient but then 'millions' are not brute force attacking my, or your, or deloptes system at any one time. If they were, it would be pointless anyway. The point is, if you have a regularly updated list of known spam IPs, which we do, and you use a decent firewall, which I do, you can prevent a huge amount of brute force attacks by just dropping the connection.
I'm unclear what you're referring to as your "regularly updated list".
Is this SYN rate limiting or fail2ban or a manually maintained list or something else?
--Mike
On 12/04/2019 17:01, Mike Bird wrote:
On Fri April 12 2019 08:41:10 Michael Howard via trinity-users wrote:
Of course it's possible to block millions, if you have their IPs. It wouldn't be efficient but then 'millions' are not brute force attacking my, or your, or deloptes system at any one time. If they were, it would be pointless anyway. The point is, if you have a regularly updated list of known spam IPs, which we do, and you use a decent firewall, which I do, you can prevent a huge amount of brute force attacks by just dropping the connection.
I'm unclear what you're referring to as your "regularly updated list".
Is this SYN rate limiting or fail2ban or a manually maintained list or something else?
I'm referring to 'block' lists, as provided by spamhaus.org and dshield.org for example, which are made available to everybody and can be downloaded as frequently as one likes/needs.
As an added barrier, I also have my own list of blocked IPs. These are IPs which are not on the above lists that repeatedly connect, trying different username/password combinations in succession. This list is not permanent because as you say, they could well be infected slaves.
On Fri April 12 2019 09:44:07 Michael Howard via trinity-users wrote:
I'm referring to 'block' lists, as provided by spamhaus.org and dshield.org for example, which are made available to everybody and can be downloaded as frequently as one likes/needs.
Spammers have rather different characteristics than the attackers attempting to hack systems and guess passwords.
As an added barrier, I also have my own list of blocked IPs. These are IPs which are not on the above lists that repeatedly connect, trying different username/password combinations in succession. This list is not permanent because as you say, they could well be infected slaves.
Infected PCs attempting to guess passwords and exploit bugs number in the millions, with thousands of changes every day.
What is needed is defense in depth including staying up to date on security patches, careful software configuration including firewalls, various forms of packet rate limiting, encryption, fail2ban, reverse DNS checks, SPF/DKIM, spam filters, and malware scanners.
--Mike
On 12/04/2019 18:30, Mike Bird wrote:
On Fri April 12 2019 09:44:07 Michael Howard via trinity-users wrote:
I'm referring to 'block' lists, as provided by spamhaus.org and dshield.org for example, which are made available to everybody and can be downloaded as frequently as one likes/needs.
Spammers have rather different characteristics than the attackers attempting to hack systems and guess passwords.
As an added barrier, I also have my own list of blocked IPs. These are IPs which are not on the above lists that repeatedly connect, trying different username/password combinations in succession. This list is not permanent because as you say, they could well be infected slaves.
Infected PCs attempting to guess passwords and exploit bugs number in the millions, with thousands of changes every day.
What is needed is defense in depth including staying up to date on security patches, careful software configuration including firewalls, various forms of packet rate limiting, encryption, fail2ban, reverse DNS checks, SPF/DKIM, spam filters, and malware scanners.
Shakes head and gives up.
On Thursday 11 April 2019 21.17:42 andre_debian@numericable.fr wrote:
I often upgrade my Debian-Stretch. Eeach time, it's mostly packages trinity who are upgraded, it's good, and less Debian packages. But, is it normal ?
On Thursday 11 April 2019 22:34:54 Thierry de Coulon wrote:
I'd say Stretch is "stable", and soon to become "old-stable", so I guess not much is upgraded. Anyway I think this "upgrade/update" craze is mostly the result from Microsoft, Apple and Google having to frequently patch their buggy OSes and using this to force users to adopt their latest control options. Now it's become a fashion. I have here a few installs with fairly old Linux versions and never got a problem - I agree I'm certainly not a prime taget for hackers...
My question was : Even if it's good, is it normal that often most of trinity packages must be upgraded ?
Regards,
André
Dne pá 12. dubna 2019 andre_debian@numericable.fr napsal(a):
On Thursday 11 April 2019 21.17:42 andre_debian@numericable.fr wrote:
I often upgrade my Debian-Stretch. Eeach time, it's mostly packages trinity who are upgraded, it's good, and less Debian packages. But, is it normal ?
On Thursday 11 April 2019 22:34:54 Thierry de Coulon wrote:
I'd say Stretch is "stable", and soon to become "old-stable", so I guess not much is upgraded. Anyway I think this "upgrade/update" craze is mostly the result from Microsoft, Apple and Google having to frequently patch their buggy OSes and using this to force users to adopt their latest control options. Now it's become a fashion. I have here a few installs with fairly old Linux versions and never got a problem - I agree I'm certainly not a prime taget for hackers...
My question was : Even if it's good, is it normal that often most of trinity packages must be upgraded ?
Regards,
André
Hi,
regarding Trinity packages, it depends on what apt source is used, whether the final release or the preliminary stable builds. For the final, it is updated only during the release. For preliminary, it is updated on an ongoing basis.
Cheers
Dne pá 12. dubna 2019 andre_debian@numericable.fr :
My question was : Even if it's good, is it normal that often most of trinity packages must be upgraded ?
On Friday 12 April 2019 13:16:51 Slávek Banko wrote:
regarding Trinity packages, it depends on what apt source is used, whether the final release or the preliminary stable builds. For the final, it is updated only during the release. For preliminary, it is updated on an ongoing basis.
My /apt/sources.list contains these lines for trinity : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
release or preliminary stable builds ?
Thanks,
André
Dne pá 12. dubna 2019 andre_debian@numericable.fr napsal(a):
Dne pá 12. dubna 2019 andre_debian@numericable.fr :
My question was : Even if it's good, is it normal that often most of trinity packages must be upgraded ?
On Friday 12 April 2019 13:16:51 Slávek Banko wrote:
regarding Trinity packages, it depends on what apt source is used, whether the final release or the preliminary stable builds. For the final, it is updated only during the release. For preliminary, it is updated on an ongoing basis.
My /apt/sources.list contains these lines for trinity : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
release or preliminary stable builds ?
Thanks,
André
Preliminary stable builds. Currently, packages are the same version as in stable == both contains R14.0.6. If you want, now is a good time to switch to a stable repository.
Cheers
Dne pá 12. dubna 2019 andre_debian@numericable.fr napsal(a):
My /apt/sources.list contains these lines for trinity : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 release or preliminary stable builds ?
On Friday 12 April 2019 16:55:40 Slávek Banko wrote:
Preliminary stable builds. Currently, packages are the same version as in stable == both contains R14.0.6. If you want, now is a good time to switch to a stable repository.
I'm lost.
I see on trinity site, https://wiki.trinitydesktop.org/Debian_Trinity_Repository_Installation_Instr...
TDE R14.0.5 : deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-r14.0.0/debian <your-distribution> main deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-r14.0.0/debia... <your-distribution> main deb-src http://mirror.ppa.trinitydesktop.org/trinity/trinity-r14.0.0/debian <your-distribution> main deb-src http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-r14.0.0/debia... <your-distribution> main OR TDE v3.5.13.2 : deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-v3.5.13/debian <your-distribution> main deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-v3.5.13/debia... <your-distribution> main deb-src http://mirror.ppa.trinitydesktop.org/trinity/trinity-v3.5.13/debian <your-distribution> main deb-src http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-v3.5.13/debia... <your-distribution> main
Also, tde-trinity and kde-trinity : which difference between the both ?
Which lines in sources.list for me ?
Thanks,
André
andre_debian@numericable.fr wrote:
I'm lost.
I see on trinity site,
https://wiki.trinitydesktop.org/Debian_Trinity_Repository_Installation_Instr...
TDE R14.0.5 : deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-r14.0.0/debian <your-distribution> main deb
http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-r14.0.0/debia...
<your-distribution> main deb-src http://mirror.ppa.trinitydesktop.org/trinity/trinity-r14.0.0/debian <your-distribution> main deb-src
http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-r14.0.0/debia...
<your-distribution> main
what Slavek means is if you switch to the above, you will keep your current 14.0.6 from preliminary stable build, because http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 will go to 14.0.7 and you will get again more frequent updates of trinity packages.
I think the wiki just needs to be updated as 14.0.6 came out recently.
regards
On Friday 12 April 2019 21:55:27 deloptes wrote:
andre_debian@numericable.fr wrote:
I'm lost.
what Slavek means is if you switch to the above, you will keep your current 14.0.6 from preliminary stable build, because http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 will go to 14.0.7 and you will get again more frequent updates of trinity packages. I think the wiki just needs to be updated as 14.0.6 came out recently.
Always lost.
Are these lines below correct ? (to have the last version 14.5 or 6) : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
Thanks,
André
On Mon, 15 Apr 2019 at 05:35, andre_debian@numericable.fr wrote:
On Friday 12 April 2019 21:55:27 deloptes wrote:
andre_debian@numericable.fr wrote:
I'm lost.
what Slavek means is if you switch to the above, you will keep your current 14.0.6 from preliminary stable build, because http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 will go to 14.0.7 and you will get again more frequent updates of trinity packages. I think the wiki just needs to be updated as 14.0.6 came out recently.
Always lost.
Are these lines below correct ? (to have the last version 14.5 or 6) : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
Thanks, André
Moi, je me sens aussi un peu perdu - I feel a bit lost too. I have included the above lines in my sources.list - after update, there is still no indication of packages to be upgraded. Robert
Anno domini 2019 Mon, 15 Apr 08:40:28 -0700 Robert Peters scripsit:
On Mon, 15 Apr 2019 at 05:35, andre_debian@numericable.fr wrote:
On Friday 12 April 2019 21:55:27 deloptes wrote:
andre_debian@numericable.fr wrote:
I'm lost.
what Slavek means is if you switch to the above, you will keep your current 14.0.6 from preliminary stable build, because http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 will go to 14.0.7 and you will get again more frequent updates of trinity packages. I think the wiki just needs to be updated as 14.0.6 came out recently.
Always lost.
Are these lines below correct ? (to have the last version 14.5 or 6) : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
Thanks, André
Moi, je me sens aussi un peu perdu - I feel a bit lost too. I have included the above lines in my sources.list - after update, there is still no indication of packages to be upgraded. Robert
Hi!
I have devuan beowulf running. /et/apt/sources.list contains:
deb http://mirror.ppa.trinitydesktop.org/trinity-sb buster deps-r14 extra-r14 main-r14 deb-src http://mirror.ppa.trinitydesktop.org/trinity-sb buster deps-r14 extra-r14 main-r14
$ dpkg -l|grep trinity
shows all packages are 4:14.0.6-0debian10.0.0+0~a...
To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
Dne po 15. dubna 2019 Robert Peters napsal(a):
On Mon, 15 Apr 2019 at 05:35, andre_debian@numericable.fr wrote:
On Friday 12 April 2019 21:55:27 deloptes wrote:
andre_debian@numericable.fr wrote:
I'm lost.
what Slavek means is if you switch to the above, you will keep your current 14.0.6 from preliminary stable build, because http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 will go to 14.0.7 and you will get again more frequent updates of trinity packages. I think the wiki just needs to be updated as 14.0.6 came out recently.
Always lost.
Are these lines below correct ? (to have the last version 14.5 or 6) : #trinity deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 deb-src http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14
Thanks, André
Moi, je me sens aussi un peu perdu - I feel a bit lost too. I have included the above lines in my sources.list - after update, there is still no indication of packages to be upgraded. Robert
If you want to use a stable release and don't want to get bug fixes faster, use apt source for final release:
deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-r14.0.0/debian stretch main deb http://mirror.ppa.trinitydesktop.org/trinity/trinity-builddeps-r14.0.0/debia... stretch main
If you want to use a stable release but want to get bug fixes faster == packages will be updated more often, use apt source for Preliminary Stable Builds:
deb http://mirror.ppa.trinitydesktop.org/trinity-sb stretch deps-r14 main-r14
If you want to participate in testing the development version == packages will be updated more often and sometimes there may be some problems, use apt source for Preliminary Testing Builds:
deb http://mirror.ppa.trinitydesktop.org/trinity-testing stretch deps main
[1] Final version is not available for distributions that have not yet been published - such as Debian 10 (Buster). If you want to use it, you need to use the Preliminary Stable Builds or Preliminary Testing Builds.
[2] The repository at http://mirror.xcer.cz/trinity-sb is the same as the Preliminary Stable Builds.
[3] Currently, publishing new packages to Preliminary Stable Buidls is suspended. Therefore, at this time Prelimary Stable Builds contain the same version as the Final Release repository == R14.0.6. However, you can soon expect the announcement that packages for the upcoming R14.0.7 will begin to flow into Preliminary Stable Builds.
It is understandable? Or still lost?
Cheers
On Monday 15 April 2019 18:13:06 Slávek Banko wrote:
If you want to use a stable release but want to get bug fixes faster == packages will be updated more often, use apt source for Preliminary Stable Builds : deb http://mirror.ppa.trinitydesktop.org/trinity-sb stretch deps-r14
main-r14
Only one line (above) in "/etc/apt/sources.list" ?
Thanks,
Regards,
André
Dne po 15. dubna 2019 andre_debian@numericable.fr napsal(a):
On Monday 15 April 2019 18:13:06 Slávek Banko wrote:
If you want to use a stable release but want to get bug fixes faster == packages will be updated more often, use apt source for Preliminary Stable Builds : deb http://mirror.ppa.trinitydesktop.org/trinity-sb stretch deps-r14
main-r14
Only one line (above) in "/etc/apt/sources.list" ?
Thanks,
Regards,
André
For normal use, only line with "deb" is enough. If you also want to have source packages available, add a second line with "deb-src".
For Preliminary Stable Builds, "main-r14" and "deps-r14" are two components within a single repository - so one line is enough.
For the Final Release, "main" and "build-deps" are as two separate repositories - two separate addresses - must be on one line each.
Cheers
On Monday 15 April 2019 18:36:01 Slávek Banko wrote:
For normal use, only line with "deb" is enough. If you also want to have source packages available, add a second line with "deb-src". For Preliminary Stable Builds, "main-r14" and "deps-r14" are two components within a single repository - so one line is enough. For the Final Release, "main" and "build-deps" are as two separate repositories - two separate addresses - must be on one line each.
# apt-get update apt-get upgrade Would I have a conflict with my actual line ? : deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 replaced by this line : deb http://mirror.ppa.trinitydesktop.org/trinity-sb stretch deps-r14
Thanks,
Good evening , depends where we live :-)
André
On Monday 15 of April 2019 20:13:30 andre_debian@numericable.fr wrote:
On Monday 15 April 2019 18:36:01 Slávek Banko wrote:
For normal use, only line with "deb" is enough. If you also want to have source packages available, add a second line with "deb-src". For Preliminary Stable Builds, "main-r14" and "deps-r14" are two components within a single repository - so one line is enough. For the Final Release, "main" and "build-deps" are as two separate repositories - two separate addresses - must be on one line each.
# apt-get update apt-get upgrade Would I have a conflict with my actual line ? : deb http://mirror.xcer.cz/trinity-sb stretch deps-r14 main-r14 replaced by this line : deb http://mirror.ppa.trinitydesktop.org/trinity-sb stretch deps-r14
Thanks,
Good evening , depends where we live :-)
André
Both of these apt sources are equal - both contain Preliminary Stable Builds repository.
Note: I assume you also have the main-r14 component listed in the second apt source?
Cheers
-
andre_debian@numericable.fr -
Baron -
deloptes -
Dr. Nikolaus Klepp -
Michael Howard via trinity-users -
Mike Bird -
Robert Peters -
Slávek Banko -
Thierry de Coulon