[vox-tech] Installing KDE from unoffical apt sources... could be dangerous.

Mike Simons vox-tech@lists.lugod.org
Thu, 22 May 2003 16:01:10 -0400


--M9kwpIYUMbI/2cCx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 21, 2003 at 02:24:16PM -0700, Richard Burkhart wrote:
> I'm running a Deb-testing system... and trusted apt-get a bit more than I
> should have.
>=20
> a) Anyone else have apt-get try to update 108 megs of KDE libraries, and
> have the update die because one of the main packages (kdelibs4) is held
> back? -- destroying KDE in the process?  If you haven't -- watch out with
> that upgrade thingie.

  The term "held back" here could mean many things.
 =20
- It could be a local explicit configuration pin on the package done by=20
  you is holding it back.
- It could be that "apt-get upgrade" was run instead of "apt-get
  dist-upgrade", which do different things and so "upgrade" held
  the package because you told it to (one should generally use the=20
  dist-upgrade).
- It could be that the library you mention has bugs which are preventing
  it from entering testing, but if the dependences are correct for
  the other packages this should not break your system, because they
  would not have been released into testing if they rely on something
  not yet in testing.

  Regardless... a held back package should never hurt your system,
it *does* prevent you from getting the latest version of something
and damaging your system with broken packages.


> b) short of actually LOOKING at the "we're going to replace" report like
> anyone with brains would have ... any way I can tell that 'this upgrade w=
ill
> not work, and will kill one of your environments in the process'?

  A apt upgrade should never kill your system... if it does the chance
something wrong with the packages being installed is thousands of times
more likely than something wrong with what apt did.


> c) the debian-bugs listings are telling me why a library/package is buste=
d,
> and what packages it depends on that are busted ... but are there any dec=
ent
> places to find estimates on how soon it'll be fixed?

  No accurate time estimates ever.  There are bugs in the tracking system
that are over 6 years old... just cause one is filed does not mean it
will ever get fixed.  Bugs get fixed when people interested enough in
them work to fix them... and even motivated people take time.


On Wed, May 21, 2003 at 07:09:53PM -0700, Ken Bloom wrote:
> What unofficial apt source are you using for KDE? KDE 3 hasn't=20
> propagated to testing yet. As a result, I don't think the debian bug=20
> listings will be too helpful for you.

On Wed, May 21, 2003 at 10:11:38PM -0700, Richard Burkhart wrote:
> Ok ... there'd be issue 1 -- I've got main and testing at
> download.us.kde.org in my apt list. =20

  If you are using mixing and matching official debian with un-official
debian packages for large complex projects like KDE and Gnome, you=20
had better know what you are doing.  It is possible for things to=20
be maintained by different people, compiled with incompatible options,
and taking different directions...

  Un-official sources are not bad, but if you are pulling stuff and=20
those things break your system it is probably not a Debian problem,
probably not a problem with apt, and maybe not a problem with what
your were trying to do.  Regardless it your pile of pieces.

  I recommend you try to remove the unofficial KDE apt sources,
and do a apt-get update, apt-get dist-upgrade to see if that fixes
things.

--=20
GPG key: http://simons-clan.com/~msimons/gpg/msimons.asc
Fingerprint: 524D A726 77CB 62C9 4D56  8109 E10C 249F B7FA ACBE

--M9kwpIYUMbI/2cCx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+zSyG4Qwkn7f6rL4RAqkMAKCTUWy/kgZRHhTaZzFoKKNRS2kzLgCfaE8c
zp0EjvanV3aIrPzBNaqIFT4=
=mOCb
-----END PGP SIGNATURE-----

--M9kwpIYUMbI/2cCx--