Why is there a separate package repository for Debian security updates?
Why don’t they upload packages to the normal package repository? Is this a general convention… do other distros separate the repositories also?
I’m pretty sure Debian puts security updates in the regular repo as well.
The reason to have a separate repo that only contains security updates is so you can set up a server, only point it at the security repo, and automate updates. Now you’ve got a server that is guaranteed to have the latest security patches without accidentally introducing bugs caused by incompatible versions, etc.
I’m not sure if this exact mechanism is used by other distros. There’s a
yum plugin to handle this kind of thing for CentOS, and Gentoo currently has a security mailing list (
portage is currently being modified to support security-only updates). FreeBSD and NetBSD both provide ways to do security audits of installed ports/packages, which integrate well with the built-in update mechanisms. All told, Debian’s approach (and probably Ubuntu’s, since they’re so closely related) is one of the slicker solutions to this problem.
It helps with two things:
- safety – first get your security
fixes, then you are at lower risk
while updating the rest
- security updates should be stored at
a high security level, as you tend
to rely on them to protect the rest
of your system, so it could be that
this repo has stronger security
controls to prevent compromise
there could well be other reasons, but those are the two I would find useful
Debian has a distribution channel that provides security updates only so that administrators can choose to run a stable system with only the absolute minimum of changes. Additionally, this distribution channel is kept somewhat separate from the normal channel: all security updates are fed directly from
security.debian.org, whereas it is recommended to use mirrors for everything else. This has a number of advantages. (I don’t remember which of these are official motivations I read on Debian mailing lists and which are my own mini-analysis. Some of these are touched on in the Debian security FAQ.)
- Security updates are spread immediately, without the delay incurred by mirror updates (which can add about 1 day of propagation time).
- Mirrors can go stale. Direct distribution avoids that problem.
- There is less infrastructure to maintain as a critical service. Even if most of Debian’s servers are unavailable and people can’t install new packages, as long as
security.debian.orgpoints to a working server, security updates can be distributed.
- Mirrors can be compromised (this has happened in the past). It’s easier to watch a single distribution point. If an attacker managed to upload a malicious package somewhere,
security.debian.orgcould push a package with a more recent version number. Depending on the nature of the exploit and the timeliness of the response, this could be enough to keep some machines uninfected or at least warn administrators.
- Fewer people have upload rights on
security.debian.org. This limits the possibilities for an attacker trying to subvert an account or machine in order to inject a malicious package.
- Servers that don’t need ordinary web access can be kept behind a firewall that only allows
According to Salvatore Bonaccorso of the Debian security team (via private email to me), it is not recommended to configure the security archive only, “to run a stable system with only the absolute minimum of changes.” For example in this case you will not receive Linux kernel rebases to new stable versions.
Also, not all security fixes are included in the regular archive, because sometimes they fail to build for certain architectures. In this case the fix cannot be included in the regular archive, but will still be included in the security archive, even if not for all architectures.
Salvatore Bonaccorso recommends to always enable both archives – the regular archive AND the security archive.