Обсуждение: separate security tag?
Hello, in the context of https://manpages.debian.org/trixie/unattended-upgrades/unattended-upgrades.8.en.html could it possible to automatically update only the security updates within the pgdg repository? mvg, Wim
Re: Wim Bertels > in the context of > https://manpages.debian.org/trixie/unattended-upgrades/unattended-upgrades.8.en.html > > could it possible to automatically update only the security updates > within the pgdg repository? I wouldn't know how to tag the packages in a way that apt would understand. For security.debian.org, that's based on the whole repo being "security", but for apt.pg.o, we don't have that. Christoph
Christoph Berg schreef op wo 10-12-2025 om 14:48 [+0100]: > Re: Wim Bertels > > in the context of > > https://manpages.debian.org/trixie/unattended-upgrades/unattended-upgrades.8.en.html > > > > could it possible to automatically update only the security updates > > within the pgdg repository? > > I wouldn't know how to tag the packages in a way that apt would > understand. For security.debian.org, that's based on the whole repo > being "security", but for apt.pg.o, we don't have that. > tnx Christoph, i was assuming that it would be possible somehow, so the question then becomes: could it be possible to have a security.postgresql.org and apt.postgresql.org ? Wim
Re: Wim Bertels > so the question then becomes: > could it be possible to have a > security.postgresql.org > and > apt.postgresql.org We could have separate suites foo-pgdg-security instead. But I think that doesn't really solve the problem because it has too many sub-dimensions. Say you switched to the apt.pg.o version of pgbouncer because you wanted a newer feature. Would you later want only security updates for it? If someone else switches to it later for another feature, would we have to maintain pgbouncer-feature1-security and pgbouncer-feature2-security? For the server packages, the discussion is similar. This would be a huge extra effort, and the problem space is already complicated enough. If you want stable stable, use what is in Debian. If you want newer versions, go with apt.pg.o. I already try to mention CVEs in the package changelogs, though sometimes I miss them. I could try to make sure that happens more often. Christoph
Christoph Berg schreef op do 11-12-2025 om 12:48 [+0100]: > > This would be a huge extra effort, and the problem space is already > complicated enough. i can imagine thank you for the work done and being done