Haven't had any software updates for a while

76 risposte [Ultimo contenuto]
sanchezman
Offline
Iscritto: 12/09/2015

I think it's been a month or two since I've had any software updates available on my machine. Absolutely nothing is available for upgrade after running apt-get update and apt-get upgrade. Has this happened to anyone else? Have Trisquel repos been frozen in advance of Trisquel 8?

I'm worried that I'm open to security vulnerabilities.

oysterboy

I am a member!

I am a translator!

Offline
Iscritto: 02/01/2011

Maybe an issue with the mirror you're using. Can you please post the output of the following command?

cat /etc/apt/sources.list

al_chemia
Offline
Iscritto: 06/14/2016

You're right, there seems to be an issue with the US mirror. I switched to the main server and it's now updating normally.

sanchezman
Offline
Iscritto: 12/09/2015

# Trisquel repositories for supported software and updates
deb http://us.archive.trisquel.info/trisquel/ belenos main
deb-src http://us.archive.trisquel.info/trisquel/ belenos main
deb http://us.archive.trisquel.info/trisquel/ belenos-security main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-security main
deb http://us.archive.trisquel.info/trisquel/ belenos-updates main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-updates main
#deb http://us.archive.trisquel.info/trisquel/ belenos-backports main
#deb-src http://us.archive.trisquel.info/trisquel/ belenos-backports main

lembas
Offline
Iscritto: 05/13/2010

> I'm worried that I'm open to security vulnerabilities.

You are.

https://trisquel.info/en/forum/abrowser-version-trisquel-6

(the problem is apparently also in trisquel 7)

sanchezman
Offline
Iscritto: 12/09/2015

As much as I love fully free distros, I'm thinking of switching to debian and just not enabling nonfree repos. It seems every fully free distro is consistently teetering on the brink of being left unsupported.

Mzee
Offline
Iscritto: 07/10/2013

Unfortunately, you are very right about this. :-( In the long run, I might do the same.

lembas
Offline
Iscritto: 05/13/2010

Which of the free distros do you have experience with?

I'll probably leave Trisquel as well but I'd rather move to a free distro than an optionally free distro. That would make it so much simpler to answer people who ask which distro I'm using. :)

I think Parabola is where I'm going next.

sanchezman
Offline
Iscritto: 12/09/2015

The last fully free distro I used was parabola. It was fine until a broken update to OpenSSL completely trashed my system. I couldn't browse the internet, I couldn't install updates, and I couldn't even revert to an older version of OpenSSL. I still don't know what cause it to happen (but I think it had something to do with the p2p package installer I had set up two months prior), as I've used Arch before and had 0 problems with it. I guess my warning is: Be careful with rolling release systems that don't have extensive support.

lembas
Offline
Iscritto: 05/13/2010

Thanks for the heads up. I've never used a rolling release distro before but I've heard these stories before. I guess what they say about the bleeding edge is true.

ADFENO
Offline
Iscritto: 12/31/2012

For those wanting to use other free system distribution: try GuixSD.

It's rolling release *but*:

* Let's you keep various versions of the same package.

* Eases the process of building your own packages and sharing them with
others.

** In spite of the above, the build process is made to be user-friendly
through the recipes written in Guile.

** If the GuixSD knows someplace where it can get builds for packages,
and if there is one for your system architecture, it'll download the
package. It won't build things unless it can't find a built package.

* Avoids "dependency hell".

* Many other advantages that I forgot to mention due to lack of human
memory.

I'm not going to switch right now due to a huge backlog of personal
tasks that I have to do. But U'm planning on doing so some time (maybe 6
months from now, I guess).

davidpgil
Offline
Iscritto: 08/26/2015

I really like the idea of switching to GuixSD as well, but I am concerned it might be too early to really use. :/

root_vegetable
Offline
Iscritto: 10/26/2015

It's just impossible to install for me. Something always goes catastrophically wrong and and I can't make it work in a VM.
Why there isn't a basic graphical installer is a question I cannot answer.

ADFENO
Offline
Iscritto: 12/31/2012

Perhaps there is no basic graphical installer for GuixSD because there's
lack of workers there?

At any rate, I have been noticing that some projects are starting to
integrate built-in updates or package manages on their resulting
software, or are stuffing/bundling things from other projects into their
own. While this offers updates and convenience for the default/expected
consumer values, it has setbacks and possibly even problems for
society's essential freedoms:

* First and most importantly, both stuffing/bundling and
package-or-software specific package-managers can cause issues related
to society's essential freedoms, specially for maintainers of free
system distributions, E.g.:

** BOINC: Which is *currently* free software, is in the Free Software
Directory. However, according to the GNU Free System Distribution
Guidelines: since it has an external repository that doesn't have the
*goal/commitment* to include only free packages, references to this
repository must be replaced by references to freedom-committed ones and
as such, this shifts the pressure from the software project (BOINC) to
the free system distribution project (e.g.: Trisquel). I recall seeing a
grup of people discussing the possibility of making a Libre BOINC
repository, it was discussed here in the English forum of the Trisquel
project.

** Firefox, Thunderbird and related software from Mozilla: Which are, as
far as I know, all non-free software. While their status as free
software isn't the focus of this item, free system distribution projects
that provide freed adaptations of these software must also remove
references to the repositories that don't have commitment in favor of
our movement. That is, just forking and making a freed adaptation of
these is not enough since they have an external repository of
extensions, and these must either be replaced by freedom-committed
repositories, otherwise the references must simply be removed, or the
package as a whole not redistributed.

** Docker container repositories: See
https://lists.gnu.org/archive/html/libreplanet-discuss/2016-04/msg00103.html

* Stuffing/bundling things can break system integration,
functionalities, or even cause the parts of the project that were
bundled to be out of date. On accounting terms: It can also raise the
costs associated with maintaining the personalized bundled project (that
is beyond customization). Imagine that your system has a copy of GTK+ 3,
now imagine that, for some reason, you decide to use a version of
LibreOffice and one of Evolution that both require GTK+ 2, but which
have this one bundled/stuffed inside their packages. That is: you'll be
downloading GTK+ 2 *twice*. The same applies to per-software-based
package managers or containers (namely: NodeJS npm, Ruby gems package
manager, Python pip, Docker containers-manager-that-I-forgot-the-name,
videogame-based package managers, and so on).

** For a related discussion, see:

*** https://wingolog.org/archives/2015/11/09/embracing-conways-law

***
http://media.libreplanet.org/u/libreplanet/m/solving-the-deployment-crisis-with-gnu-guix-f8fd/

* On the other side of the issue: System-wide package management when,
and only when:

** It's limited to only one version per package;

** That has no automated and reproducible package making facilities;
*and* ...

** That doesn't isolate sets of packages into environments according to
what is really needed for them to work regardless of the versions
already installed; ...

... can also cause problems and raise costs or resource usage. Mainly
because, since these packages can only be kept with one version at a
time, and because their behavior is not easily reproducible across
different computers or operating systems, one bug can entice the user to
change the version of the package, and then we have dependency hell.

** For a related discussion, see:

*** https://wingolog.org/archives/2015/11/09/embracing-conways-law

***
http://media.libreplanet.org/u/libreplanet/m/solving-the-deployment-crisis-with-gnu-guix-f8fd/

* Projects which choose to bundle/stuff other projects inside theirs
generally do so because they see the dependency on system-wide package
managers as a major issue and so they try to anticipate the problem by
bundling/stuffing the projects in which they depend on inside their own
project. However, time passes by, they make adaptations to their
bundled/stuffed copy, but almost always fail to keep communicating with
the original project in order to aid on the decision-making or
development processes of these parent projects.

** For a related discussion, see:

*** https://wingolog.org/archives/2015/11/09/embracing-conways-law

***
http://media.libreplanet.org/u/libreplanet/m/solving-the-deployment-crisis-with-gnu-guix-f8fd/

* Personally, I think that the projects that do want to have their
software made as a package must also themselves take part into making
sure that their resulting software can be reproducible in different
computers and operating systems, not just leave it only for the package
maintainers/makers to do.

* Bundling/stuffing and software-based or language-based
package-managers can also raise the learning curve for the advanced
users.

** For a related discussion, see:

*** https://wingolog.org/archives/2015/11/09/embracing-conways-law

***
http://media.libreplanet.org/u/libreplanet/m/solving-the-deployment-crisis-with-gnu-guix-f8fd/

root_vegetable
Offline
Iscritto: 10/26/2015

All I will say is that if they want more developers, making it as easy as possible to take part is ideal. At the moment I can't even run Guix in Qemu, let alone install it on my computer, so it's a real pain.

ADFENO
Offline
Iscritto: 12/31/2012

I have successfully run GuixSD *live USB* in QEMU once. Although I'm not
doing so currently due to the fact that my computer's five years old
disk drive malfunctioned only due to its age.

Can you please tell me what are you using to run GuixSD in QEMU? If
you're using a command line, which one?

You might as well be interested on reading the following documentation,
from GuixSD/Guix project themselves on running GuixSD on QEMU:

https://www.gnu.org/software/guix/manual/html_node/Running-GuixSD-in-a-VM.html#Running-GuixSD-in-a-VM

As an off-topic note: I plan to install Guix (the package manager,
without "SD") in my Trisquel installation.

oysterboy

I am a member!

I am a translator!

Offline
Iscritto: 02/01/2011

The Abrowser situation annoys me too. I am currently evaluating Parabola. Installing it was surprisingly easy. I remembered having a hard time trying to install Arch a few years ago (I actually never succeeded :)), but following the beginner's guide to Parabola was really straightforward and easy. I am currently evaluating two desktop environments: MATE and KDE. All the programs are as up to date as can be, and that includes Iceweasel of course. But there are risks associated with the rolling release model. A few days ago, an update to hunspell, I believe, broke Icedove, Iceweasel and Icecat. On the other hand, it was fixed the next day. Also I read somewhere that the MATE desktop is currently unmaintained (the maintainer of the MATE packages for Arch decided to quit) and might be dropped from the repos for that reason. So being on the bleeding edge can have important drawbacks if you don't like (big) surprises after applying updates...

Maybe Trisquel needs to drop Abrowser and concentrate on Icecat, where it may be easier to make sure the latest security patches are applied in a timely fashion?

Legimet
Offline
Iscritto: 12/10/2013

I'm planning to install Debian testing (main only, of course) one of these days. Because of the vulnerable Abrowser, and because I need newer versions of some packages (for which I downloaded the .debs from Debian). I also like Parabola.

hack and hack
Offline
Iscritto: 04/02/2015

In that other thread, it is said that Abrowser's version in Trisquel 7 is outdated.

But according to this, it isn't a problem regarding support (https://trisquel.info/fr/forum/icecat-default-browser#comment-3375).
> Web Browser 3.5? Why should Trisquel users have to get an outdated
version
> of their browser for the next six months, when 3.6 has come out already?
It will ship with whatever version is the official upstream, to have the
same
level of support. Stability and security are more important than
modernity.

So what's the deal? With two people saying the opposite, and me not being knowledgeable enough, what do you all think? And Why?

Legimet
Offline
Iscritto: 12/10/2013

That was before the Firefox rapid release, when Debian/Ubuntu backported security patches to the version of Firefox they were using. Now all distros either use the latest version, or a supported ESR version. Debian uses the ESR version, but no longer backports security fixes, so once the version they are using is unsupported, they go to the next ESR version.
The situation in Trisquel is that there is an old, unsupported non-ESR version receiving no updates, and this is a serious issue.

hack and hack
Offline
Iscritto: 04/02/2015

Thanks.
Basically, ESR or not, at some point it's time to upgrade, because the security fixes are not backported from the latest version anymore,if I understand.
This is definitely not right.

I'd rather have the money spent on this instead.
The browser is one of the weakest links, so this issue really needs to be first on the list.
Specially since it's an OS meant for the average user.

In terms of security, I wonder how many programs need to always be up-to-date, besides the browser. Anything accessing the network,I suppose, but this might be overkill.

hack and hack
Offline
Iscritto: 04/02/2015

Firefox will manage its own updates independently of your system’s package manager, an download subsequent releases. There will be no need to repeat the whole “procedure”… Enjoy Firefox!
Thanks for the info. It's probably the easiest and simplest fix on the list.
Reading this, I see it updates by itself, even upgrades by itself probably since there's no need to "repeat the whole procedure".
I even found the ESR version in there.

But it's only a fix. So few were aware that there was such a security whole for so long in the first place.
Even the users reading the forum are/were in trouble if we rely only on the system updates.
It takes DAYS for Ubuntu to switch to the next version,
though it takes less work than Abrowser or Icecat, but still.
Not normal For both Trisquel browsers to take so long when it comes to security.

If it's too much work, at the very least, the maintainers should let Firefox be the default on the next release. It might be not as free (minor issues, but issues nonetheless), but at least it is safe, always, for all users (which allows to spread the word about Trisquel with confidence).
Or be religiously steady with these specific updates.

Bottom line: as it is right now, I'll stay on Trisquel because I can fix some stuff and I want to support it.
I can also fix the other few machines around me.

But for now I just can't recommend it around me.

hack and hack
Offline
Iscritto: 04/02/2015

Could you expand just a bit on Debian not backporting security fixes on ESR?
I thought that was the point of ESR (which I barely new it existed yesterday, might I add).

So Firefox 44 was out in early February (https://en.wikipedia.org/wiki/Firefox_versions#Version_44).
It's been nearly 6 month without any updates, since once a new version comes out, the earlier one isn't supported anymore (can't find again where I've read that yet).

But to my understanding, simply upgrading to version 45 (ESR) would have brought security fixes for 10 months or so.
Unless there's that backports thing I don't quite get.

root_vegetable
Offline
Iscritto: 10/26/2015

Debian used to choose a version of Firefox (not ESR) and keep it for the entire duration of the release, so had to backport security fixes to that version. However it was too much work. Now they just use upstream Firefox ESR.

hack and hack
Offline
Iscritto: 04/02/2015

I see, so ESR is clearly the way to go, unless wanting the latest feature (I personally don't care). By the way, Icecat may be ESR, but I just noticed it's unsupported since 3 months ago.

The devs seem to be available on IRC, I suppose I'll go ask them about all this.

root_vegetable
Offline
Iscritto: 10/26/2015

IceCat and Abrowser don't apply their own security patches. They track Firefox Extended Support Release, except when they don't, and aren't up to date. Like, er, now.

hack and hack
Offline
Iscritto: 04/02/2015

Thanks. Does it happen often? Or, how long has it been left not updated?

root_vegetable
Offline
Iscritto: 10/26/2015

It's a volunteer effort so no guarantees. I never saw the appeal of these derivatives over Firefox other than ideological purity. I don't think ideological purity should be at the expense of security updates, as long as I can use a system with libre software alone. I am thinking of switching to Qubes OS because as far as I can tell it has the same policies as Debian, so I have asked on the mailing list about this.
It's simply not worth compromising for your web browser. Firefox, which is essentially low-hanging fruit for attackers, should always be kept up to date. Therefore, you should use upstream if possible.

hack and hack
Offline
Iscritto: 04/02/2015

I definitely agree.

I find strange that the maintainer(s) would do such a mistake continuously. Are you sure there's no missing info on this issue?
I remember seeing Abrowser being part of the updates a few "months" ago.
Is there a way to see the update history of a program?

loldier
Offline
Iscritto: 02/17/2016

I think you can check the logs.

https://trisquel.info/en/forum/how-do-i-list-last-installed-updates

Synaptic has a history tab somewhere.

hack and hack
Offline
Iscritto: 04/02/2015

Thanks. /var/log I could find, though I only found a search history in Synaptic (which is still a nice discovery).

lembas
Offline
Iscritto: 05/13/2010

It's under File > History.

hack and hack
Offline
Iscritto: 04/02/2015

That's how I found the search history I talk about above, but there seems to be no update history or version history in Synaptic.

lembas
Offline
Iscritto: 05/13/2010

It's not search but install/update/remove history.

hack and hack
Offline
Iscritto: 04/02/2015

I see -_-" ...

*Ahem* so then the latest update I have about abrowser is from November 10 2015. it says version 41.0.2,
while abrowser --version in the CLI gives me 44.0.2.

Either way, both are dangerously outdated.

Magic Banana

I am a member!

Offline
Iscritto: 07/24/2010

In my /var/log/apt:
Start-Date: 2016-02-12 07:39:56
Upgrade: abrowser:amd64 (44.0.1+build2-0ubuntu0.14.04.1+7.0trisquel44, 44.0.2+build1-0ubuntu0.14.04.1+7.0trisquel44), abrowser-locale-en:amd64 (44.0.1+build2-0ubuntu0.14.04.1+7.0trisquel44, 44.0.2+build1-0ubuntu0.14.04.1+7.0trisquel44), abrowser-locale-fr:amd64 (44.0.1+build2-0ubuntu0.14.04.1+7.0trisquel44, 44.0.2+build1-0ubuntu0.14.04.1+7.0trisquel44)
End-Date: 2016-02-12 07:40:17

hack and hack
Offline
Iscritto: 04/02/2015

mine mentioned the right version too. it's just that Synaptic didn't, for some reason.
I'm on IRC as hack2, I made my point about the browsers update, but nobody's there yet.

root_vegetable
Offline
Iscritto: 10/26/2015

Not a mistake. They probably just don't have enough time. It is no excuse but that is probably why there are no updates. Of course they could be too lazy but I doubt it is anything malicious. It shows you why there are no guarantees.

hack and hack
Offline
Iscritto: 04/02/2015

I can understand, but isn't that a priority over many other things? To me, the browser is one of the more "fragile" programs, the more prone to attacks.

root_vegetable
Offline
Iscritto: 10/26/2015

Exactly. It should be a priority but from what I can tell the developers of IceCat and Abrowser don't have much time. Therefore they fall behind.

hack and hack
Offline
Iscritto: 04/02/2015

Oh, so it has nothing to do with Trisquel, but with the specific programs devs? Then logically, these programs shouldn't be relied on as the main browsers. But maybe the alternatives aren't better.

Then besides Tor, what would be another alternative, in your opinion?
Would a Debian package of Firefox be fine? If so, would I have to check for updates, and download and install the package of the newer version every time, or is there a way to upgrade to the next ESR automatically?
Of course, Firejail and Apparmor come to mind (if that's enough).

But it sucks for the average user who barely knows about updating the OS, specially if it's the very thing that fails him/her.

Oh well, maybe Debian is the simpler solution. I'm not a fan of non-free recommendations though. And Firefox has stuff like Pocket, if I'm not mistaken, which still has a free license. But that's also the more radical and last solution on the list.

Midori is up-to-date, but not as secure/privacy-friendly, it seems. Also, no access to some essential plugins.

Magic Banana

I am a member!

Offline
Iscritto: 07/24/2010

Quidam (Triquel's leader) is the maintainer of both Abrowser and IceCat.

hack and hack
Offline
Iscritto: 04/02/2015

Thanks, then I'll ask him on IRC.
For now, I'll probably try one of the suggestions about installing Firefox.

root_vegetable
Offline
Iscritto: 10/26/2015

Download it from Firefox website then add a .desktop file in /usr/local/bin which launches the software. Alternatively, use Midori or something else.

loldier
Offline
Iscritto: 02/17/2016

There's a deb package available.

https://packages.debian.org/jessie/firefox-esr

http://packages.ubuntu.com/trusty/firefox

It should be installable with

dpkg -i 'package name'

If unmet dependencies, try

apt-get install -f

and then type 'dpkg -i [package name]' again

root_vegetable
Offline
Iscritto: 10/26/2015

Best to use the package from Ubuntu as Debian and Ubuntu sometimes have slightly different versions of libraries. Even better, build the deb package from source if you don't want to trust Canonical.

loldier
Offline
Iscritto: 02/17/2016

I tried to build Firefox from source on my LibertyBSD Intel Atom. After about three--four hours I called it a day and cancelled. It can take a long time to build Firefox.

On a faster, modern multicore CPU, I'd estimate it takes some twenty minutes.

root_vegetable
Offline
Iscritto: 10/26/2015

Enable ccache, use an SSD, and set it to do two jobs (one for each core) at once.

SuperTramp83

I am a translator!

Offline
Iscritto: 10/31/2014

> Best to use the package from Ubuntu as Debian and Ubuntu sometimes have slightly different versions of libraries.

It's not "sometimes", it's "usually".

hack and hack
Offline
Iscritto: 04/02/2015

Thanks for this.
That would mean I'd have to do this every 4 months or so, just to be up-to-date?
Because I can't find the ESR (version 45).
I only found this, provided I did a proper search:
http://packages.ubuntu.com/trusty/web/firefox

OTOH, Debian has it (an is in https): https://packages.debian.org/stable/web/firefox-esr

I don't see how compiling from source offers any benefits unless I'd inspect the code, or would want to patch it or something. Anyone feel free to enlighten me on this.

root_vegetable
Offline
Iscritto: 10/26/2015

Use the one from Ubuntu. ESR does not have any security advantages as it is designed just to be stable, which is why Tor Browser uses it.
If you don't trust Canonical that is a reason to build from source. I largely do but you never know.
At any rate the option is there and really easy: you just need to download the deb-src package and then use the Debian package building scripts. I also find it is good to have a schedule of rebuilding certain packages I build from source, every two weeks or monthly, such as the kernel, as it is something to do to pass the time and you feel like a real nerd which is something.