It would appear that even if you install ONLY the sun java package it
drags in some GNU java stuff as well.

You can go through everything in /etc/alternatives and update it
manually but that is somewhat time consuming.

Instead just run:

sudo /usr/sbin/update-java-alternatives --set java-1.5.0-sun

and this will sort everything :)

Here is a quick guide to getting MySQL installed on Debian Etch without pulling
in anything from testing or unstable.

Now there are a number of different ways you could do this but I wanted a debian
package (as I have banned installing anything from source on new servers at work).

After some google action I found that Norbert Tretkowski had submitted packages to experimental
However after checking these out they wanted to pull things in from testing and/or unstable and I didn't want
that (especially considering it wanted to upgrade libc6)

That said it turned out that this package would build fine on Etch by doing the following:

Add the following to /etc/apt/sources.list:

deb http://ftp.uk.debian.org/debian/ experimental main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ experimental main contrib non-free


Then create /etc/apt/preferences with the following in:

Package: *
Pin: release o=Debian,a=stable
Pin-Priority: 900
Package: *
Pin: release o=Debian
Pin-Priority: -1

which basically says "only install stuff from stable".

Next we get the dev tools and the build dependencies:

aptitude install dpkg-dev devscripts
apt-get build-dep mysql-server-5.1


Then build the .debs:

cd mysql-dfsg-5.1-5.1.24rc
debuild


Once that has finished get the run time deps:

aptitude install libdbd-mysql-perl libdbi-perl


And finally install the .debs we created earlier:

cd ..
dpkg -i *.deb


...and there you go, MySQL 5.1 on Debian Etch :)

So it would appear that Debian "fixed" a problem in OpenSSL a few years ago. Unfortunately this "fix" has meant that they have had to release this security announcement.

Now this vulnerability is quite bad, so much so that Debian have stated the following:

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

Ben Laurie has posted a great blog entry as to why this so stupid. This quote from that entry sums the problem up nicely:

Secondly, if you are going to fix bugs, then you should install this maxim of mine firmly in your head: never fix a bug you don’t understand.