我正在运行 Ubuntu 12.04 服务器。
我曾经多次观察到,有些软件包最初是作为安全更新发布的,但后来改为正常更新。
举个具体的例子:
前几天,我的监控报告了安全更新。我立即通过 ssh 连接到服务器并运行以下命令:
root@perseus:~# apt-get -s dist-upgrade |grep "^Inst" |grep -i securi
Inst dpkg [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-security [amd64])
Inst dpkg-dev [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precisesecurity [all]) []
Inst libdpkg-perl [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-security [all])
root@perseus:~# apt-get -s dist-upgrade |grep "^Inst" |grep -i securi
Inst dpkg [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-security [amd64])
Inst dpkg-dev [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precisesecurity [all]) []
Inst libdpkg-perl [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-security [all]).2ubuntu7.6 Ubuntu:12.04/precise-security [amd64])
Inst dpkg-dev [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precisesecurity [all]) []
Inst libdpkg-perl [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-security [all])
然后我就退出了...
几个小时后,我的监控报告说不再有可用的安全更新,但我没有安装更新(软件包unattended-upgrades也没有安装)。
我运行了以下命令:
root@perseus:~# apt-get -s dist-upgrade |grep "^Inst"
Inst dpkg [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-updates [amd64])
Inst libc6-dev [2.15-0ubuntu10.11] (2.15-0ubuntu10.12 Ubuntu:12.04/precise-updates [amd64]) []
Inst libc-dev-bin [2.15-0ubuntu10.11] (2.15-0ubuntu10.12 Ubuntu:12.04/precise-updates [amd64]) []
Inst linux-libc-dev [3.2.0-79.115] (3.2.0-80.116 Ubuntu:12.04/precise-updates [amd64]) []
Inst libc-bin [2.15-0ubuntu10.11] (2.15-0ubuntu10.12 Ubuntu:12.04/precise-updates [amd64]) [libc6:amd64 ]
Inst libc6 [2.15-0ubuntu10.11] (2.15-0ubuntu10.12 Ubuntu:12.04/precise-updates [amd64])
Inst libtasn1-3-dev [2.10-1ubuntu1.2] (2.10-1ubuntu1.3 Ubuntu:12.04/precise-updates [amd64]) []
Inst libtasn1-3 [2.10-1ubuntu1.2] (2.10-1ubuntu1.3 Ubuntu:12.04/precise-updates [amd64])
Inst libtiff4-dev [3.9.5-2ubuntu1.7] (3.9.5-2ubuntu1.8 Ubuntu:12.04/precise-updates [amd64]) []
Inst libtiffxx0c2 [3.9.5-2ubuntu1.7] (3.9.5-2ubuntu1.8 Ubuntu:12.04/precise-updates [amd64]) []
Inst libtiff4 [3.9.5-2ubuntu1.7] (3.9.5-2ubuntu1.8 Ubuntu:12.04/precise-updates [amd64])
Inst linux-image-3.2.0-80-generic (3.2.0-80.116 Ubuntu:12.04/precise-updates [amd64])
Inst multiarch-support [2.15-0ubuntu10.11] (2.15-0ubuntu10.12 Ubuntu:12.04/precise-updates [amd64])
Inst binutils [2.22-6ubuntu1.2] (2.22-6ubuntu1.3 Ubuntu:12.04/precise-updates [amd64])
Inst dpkg-dev [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-updates [all]) []
Inst libdpkg-perl [1.16.1.2ubuntu7.5] (1.16.1.2ubuntu7.6 Ubuntu:12.04/precise-updates [all])
Inst linux-headers-3.2.0-80 (3.2.0-80.116 Ubuntu:12.04/precise-updates [all])
Inst linux-headers-3.2.0-80-generic (3.2.0-80.116 Ubuntu:12.04/precise-updates [amd64])
Inst linux-server [3.2.0.76.90] (3.2.0.80.94 Ubuntu:12.04/precise-updates [amd64]) []
Inst linux-image-server [3.2.0.76.90] (3.2.0.80.94 Ubuntu:12.04/precise-updates [amd64]) []
Inst linux-headers-server [3.2.0.76.90] (3.2.0.80.94 Ubuntu:12.04/precise-updates [amd64])
有谁能解释一下为什么这些软件包更新从安全变为正常?我的服务器有问题吗?
我的 sources.list 如下所示:
deb http://archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://archive.ubuntu.com/ubuntu/ precise main restricted
deb http://archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb http://archive.ubuntu.com/ubuntu/ precise universe
deb-src http://archive.ubuntu.com/ubuntu/ precise universe
deb http://archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://archive.ubuntu.com/ubuntu/ precise-updates universe
deb http://archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://archive.ubuntu.com/ubuntu/ precise multiverse
deb http://archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb http://archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse
答案1
您看到的行为是因为您正在使用安全存储库,并且软件包在发布之前要经过测试过程。
安全团队管理一个私人 ppa 用于测试 - 请参阅https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures了解详情
接下来,该包被发布到安全仓库
-security 仅包含包含安全相关修复的更新包,并且构建时不需要“-updates”中的任何内容。为“-security”构建的任何内容都是在“-updates”和“-security”之间最新版本的包的基础上构建的,因此“-security”中的任何内容都不会引入错误回归。
https://wiki.ubuntu.com/SecurityTeam/FAQ#Repositories
因此,在软件包构建和测试时,它们将经过一系列存储库,从私人安全 ppa 开始,然后进入 -security,然后进入其他存储库。
确切的迁移将随着安全问题的严重程度、测试以及其他存储库中可能需要的内容而有所不同,并且最终一旦软件包被主要维护者打包,它们就会位于主要存储库中。
我猜测安全团队维护 ppa 和 -security 以及其他软件包,或者 MOTU 维护 -main 或 -universe,并且维护者之间的重叠程度取决于软件包。