Byzantium security updates missing or late or error in sources.list?

On 10th of September Debian published the following three security issues and published updated packages:

DSA-4973 thunderbird
DSA-4972 ghostscript
DSA-4969 firefox-esr

I have got the debian repositories installed with pinning to PureOS, so I can ask for the installation candidates using apt policy:

root@pureOS1:/etc/apt$ apt policy thunderbird ghostscript firefox-esr
thunderbird:
  Installed: 1:78.12.0-1
  Candidate: 1:78.12.0-1
  Version table:
     1:78.14.0-1~deb11u1 -10
        -10 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages
 *** 1:78.12.0-1 1001
       1001 https://repo.puri.sm/pureos byzantium/main amd64 Packages
       1001 https://repo.pureos.net/pureos byzantium/main amd64 Packages
        -10 http://ftp.gwdg.de/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
ghostscript:
  Installed: 9.53.3~dfsg-7
  Candidate: 9.53.3~dfsg-7
  Version table:
     9.53.3~dfsg-7+deb11u1 -10
        -10 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages
 *** 9.53.3~dfsg-7 1001
       1001 https://repo.puri.sm/pureos byzantium/main amd64 Packages
       1001 https://repo.pureos.net/pureos byzantium/main amd64 Packages
        -10 http://ftp.gwdg.de/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
firefox-esr:
  Installed: 78.12.0esr-1
  Candidate: 78.12.0esr-1
  Version table:
     78.14.0esr-1~deb11u1 -10
        -10 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages
 *** 78.12.0esr-1 1001
       1001 https://repo.puri.sm/pureos byzantium/main amd64 Packages
       1001 https://repo.pureos.net/pureos byzantium/main amd64 Packages
        -10 http://ftp.gwdg.de/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
root@pureOS1:/etc/apt$ 

My sources.list looks like this for PureOS:

root@pureOS1:/etc/apt$ grep -v '^#' /etc/apt/sources.list
deb [arch=amd64] https://repo.puri.sm/pureos byzantium main
deb [arch=amd64] https://repo.pureos.net/pureos/ byzantium-security main
deb [arch=amd64] https://repo.pureos.net/pureos/ byzantium-updates main
deb [arch=amd64] https://repo.pureos.net/pureos/ byzantium main
deb-src https://repo.pureos.net/pureos/ byzantium main

Is my sources.list wrong or are there simply no updates?

2 Likes

@ChriChri that’s interesting, thatnks for report.

@Kyle_Rankin <- looks like byzantium-security repo somehow don’t follow debian one.
those CVE can really impact Purism USERS - firefox-esr is most common of choice in browser in pureos 10 user community.

Here’s another important package with a security issue and it’s missing update:

DSA-4963-1 openssl

I have to keep my notebook secure and can’t wait any longer for a solution here.

I defined the debian repositories

root@pureOS1:~$ cat /etc/apt/sources.list.d/debian.list  | grep -v ^#
deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free

Installed the keys for the repos and pinned like this:

root@pureOS1:~$ cat /etc/apt/preferences.d/pinning | grep -v ^#                            
Package: *
Pin: release v=11,o=Debian,a=stable-security,n=bullseye-security
Pin-Priority: 990

Package: *
Pin: release o=PureOS
Pin-Priority: 989

Package: *
Pin: release o=debian
Pin-Priority: 2

Package: *
Pin: release o=Debian Backports
Pin-Priority: 1

I removed apache2-bin apt-get purge apache2-bin which I do not need since I do not use gnome-user-share which in my installation was the only package depending on apache2-bin.

Using apt-get upgrade this led to the upgrade of the following packages

exiv2 firefox-esr ghostscript ghostscript-x gir1.2-grilo-0.3 libc-ares2 libexiv2-27 libgrilo-0.3-0 libgs9
libgs9-common libntfs-3g883 libperl5.32 libssh-4 libssh-gcrypt-4 libssl-dev libssl1.1
libxmlgraphics-commons-java lynx lynx-common ntfs-3g openssl perl perl-base perl-doc perl-modules-5.32
squashfs-tools thunderbird thunderbird-l10n-de

My understanding, and I could be wrong, is that this was a temporary thing as we migrate the infrastructure from tracking upstream testing, to tracking upstream stable (instead of tracking based on codename). I believe we should finish this soon and new updates should start rolling in again.

1 Like

@Kyle_Rankin , paste from @ChriChri showing that he setup pinning on repos and comparing debian bullseye to byzantuim.
Problem is that byzantium-security is not following debian, so we are slightly outdated and vunreable.

actually clever way of measuring delays betweeb purism builds vs debian…
KUDOS to @ChriChri for showing that trick, i never thought how to monitor this.
anyway , prioritizin repository migration would be appreciated as firefox/thunderbird and openssl are quite widely used :slight_smile: so having them vunreable is nothing good :slight_smile:

1 Like

DSA-4974 nextcloud-desktop

apt policy libnextcloudsync0
libnextcloudsync0:
  Installiert:           3.1.1-2+deb11u1
  Installationskandidat: 3.1.1-2+deb11u1
  Versionstabelle:
 *** 3.1.1-2+deb11u1 990
        990 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.1.1-2 989
        989 https://repo.puri.sm/pureos byzantium/main amd64 Packages
        989 https://repo.pureos.net/pureos byzantium/main amd64 Packages
          2 http://ftp.gwdg.de/debian bullseye/main amd64 Packages

https://security-tracker.debian.org/tracker/source-package/nextcloud-desktop

To just see the difference you would need to change the priorities in the pinning in a way that the byzantium repo gets the highest priority and/or the debian repos priority is below 990.

Pinning - at least for me - every time I look at it is a real headache. I’m always double checking which packages would get changed because I never get it right on the first try.

If anybody is interested in getting news about security updates published by Debian, here’s the page to look at.

There is a quite small subscription button to receive regular updates an a rss feed.

Well taking for considerations that PureOS Byzantium is nothing more than stripped from (i386, non-free) packages Debian Bullseye.
more logical is just stop using PureOS.
there is a way to actually convert to Debian and keep PureOS specific packages in place.
here is a list what user should do:
Step 1)
edit /etc/apt/sources.list

deb http://ftp.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/ bullseye-security non-free main contrib
deb http://ftp.debian.org/debian/ bullseye-updates non-free main contrib
deb http://ftp.debian.org/debian/ bullseye-proposed-updates non-free main contrib

Now run:
$ sudo apt update
$ sudo apt-get reinstall --allow-downgrade `apt list --installed|grep ,local|awk -F / ‘{print $1}’`

Step 2)
At this point you will have converted PureOS to Debian, with orphaned PureOS specific packages.
now let’s add PureOS back:

create file /etc/apt/sources.list.d/PureOS.list

deb https://repo.pureos.net/pureos/ byzantium-security main
deb https://repo.pureos.net/pureos/ byzantium-updates main
deb https://repo.pureos.net/pureos/ byzantium main

create file /etc/apt/preferences.d/99-PureOS

# Never prefer packages from the repo.pureos.net repository
Package: *
Pin: origin repo.pureos.net
Pin-Priority: 1

# Allow upgrading only my-specific-software from repo.pureos.net
Package: pureos-*
Pin: origin repo.pureos.net
Pin-Priority: 500

$ sudo apt update
$ sudo apt upgrade

for let’s test if we can install something from prueos:
$ sudo apt reinstall pureos-security-hardening

BOOM , you no longer have vulnerable software, you still will get updates for PureOS specific packages like librem-ec-acpi-dkms

Conclusion: maybe purism instead of wasting resources to clone Debian, just keep PureOS specific repo for Debian??? Especially that your secure OS is not seccure at all - see list vulnerabilities that are fixed in latest Debian and still waiting for being compiled and deployed to Byzantium-security repo … @Kyle_Rankin - for your consideration…

to people who are afraid of doing Conversion PureOS -> Debian , you can just install Debian, then follow this guide from Step 2.

Pros: wine for 32bit app would be possible, steam will be possible, installing binary firmware for BT, i915, without complicated hacks would be possible, and you actually will get security updates that PureOS is lacking for now.
Cons: you will able to use non-librem firmware in your drivers, that PureOS would require anyway… :wink:

Note for people with Paranoia: there is much more probability that government that spy on you will use vulnerability of Firefox-esr that in PureOS is actually present and not patched, than actually hack Debian repo to inject eploit for you :wink:

1 Like

You can find PureOS here: https://www.gnu.org/distros/free-distros.html

You can read some more about the background here: https://puri.sm/posts/why-fsf-endorsing-pureos-matters/

@ChriChri i know why PureOS was created, and understand the idea of having really free Distro.

However one of reasons to have PureOS is Security, while same time, in repo we have outdated vulnerable packages, and not following upstream security repo is delicately saying - dissonance between message and actual state.

Tehnically to make debian same state as PureOS from librem perspective is: disable contrib , non-free subrepos.
effect would be the same - really libre os, however with huge community, and being actually maintained, while PureOS seems to suffer of delayed maintenance…

3 Likes

I share your critics, but I’m wishing for a different solution.

I value the idea of making thinks free in the sense of the FSF. And I value the risk taken by Purism to take this extra burden.

My preferred solution would be to put more priority on the maintenance of PureOS.

3 Likes

It’s worth stating here that Byzantium does follow upstream Debian. The issue is that the gap is somewhat longer than previous due to infrastructure changes on our end. The plan is to have those security updates fully connected this week.

4 Likes

The delayed maintenance is temporary and known. The gap is going to be closed. We continue to provide security services (based on Debian’s service) for our stable distro Amber. Given that Byzantium is a ‘beta’ or development release and not a designated stable release there ought to be some expectation that it won’t behave in the same manner as a stable release. Nonetheless, it is our full intention to provide full security support for Byzantium (PureOS 10) in the same manner we do for our stable Amber release.

2 Likes

Well beta or not, L14 users for example have no other choice (if they wish to use PureOS) to use Byzantium.
Or switch to debian.
I will be more than happy to convert my PureDebian BullseyeByzantium to PureOS Byzantium, when Byzantium-security will be inline with debian.
Thanks for explanation, thanks for all your effort. Please continue <3
EDIT: No sarcasm here, i really like PureOS, it’s clean , asthetic and bloat free…
piece of good work.

2 Likes

As I say, we hope to be able to announce updated security service with Byzantium shortly. And thanks for the kind words.

3 Likes

I’ve uploaded a new thunderbird and a new libssh to the archives. It will take 3 days before they’re available but they’ve been accepted into the archive. I’ll continue to bring in more packages with security fixes at the same time as we connect the automated processes.

1 Like