Re: Temporal Release Strategy

To: debian-devel@lists.debian.org
Subject: Re: Temporal Release Strategy
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 20 Apr 2005 16:36:21 -0700
Message-id: <[🔎] 871x95vx56.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20050420230434.GS5489@stusta.de> (Adrian Bunk's message of "Thu, 21 Apr 2005 01:04:34 +0200")
References: <[🔎] 20050413141231.GA26638@flying-gecko.net> <[🔎] 42607CFC.5080104@gmail.com> <[🔎] 1113627899.5253.32.camel@pilot> <[🔎] 84b37b360504181424cd9617a@mail.gmail.com> <[🔎] 4266C444.6070307@linuxmachines.com> <[🔎] 20050420215257.GR5489@stusta.de> <[🔎] 4266D54C.7010302@linuxmachines.com> <[🔎] 20050420230434.GS5489@stusta.de>

Adrian Bunk <bunk@stusta.de> writes:

> You say you've deployed Debian sarge and sid in server environments 
> (even sarge, although months old security fixes might be missing???).

Sure.  Frankly, sarge has better security support than we ever got from
Sun for commercial versions of Solaris.  Don't run the things that aren't
secure, pay attention to advisories, and be willing to grab something from
sid in the case of dire emergencies, and sarge provides a perfectly
acceptable security profile.  Servers generally expose very few things to
the network and one rarely cares about local exploits.

Now, Debian stable is far *better* on security, and in fact I would say
that Debian stable has better security support than any other operating
system I've ever seen.  I would *prefer* to have Debian stable's level of
security support for servers.  But if I have to have Apache 2.x or some
other package that just isn't easily available for stable, going with
sarge rather than backports is a reasonable decision and one that I'm
quite comfortable with.

Really, the worry about using sarge in production is not the security
support, it's the fact that things keep changing all the time and in ways
that may introduce bugs.  The stability and the lack of change in anything
other than security are the important bits for stable for me, and what I'm
currently really missing in an environment where I'm mostly running sarge
(mostly because we need Apache 2.x, partly because we also need a newer
OpenLDAP).

> Regarding sarge:

> I do personally know people who had serious mail loss due to #220983. At
> the time I reported this bug, it was present in sarge. This problem
> couldn't have happened in a Debian stable (because it would have been
> discovered before the release would have been declared stable). This
> kind of problems that can occur every day in sarge _are_ dangerous
> problems.

Yeah, this is more the thing that I'd worry about when running sarge on a
server.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Temporal Release Strategy
  - From: "Patrick A. Ouellette" <pat@flying-gecko.net>
- Re: Temporal Release Strategy
  - From: "Adam M." <gnuman1@gmail.com>
- Re: Temporal Release Strategy
  - From: Patrick Ouellette <pat@flying-gecko.net>
- Re: Temporal Release Strategy
  - From: Adam M <gnuman1@gmail.com>
- Re: Temporal Release Strategy
  - From: Jeff Carr <jcarr@linuxmachines.com>
- Re: Temporal Release Strategy
  - From: Adrian Bunk <bunk@stusta.de>
- Re: Temporal Release Strategy
  - From: Jeff Carr <jcarr@linuxmachines.com>
- Re: Temporal Release Strategy
  - From: Adrian Bunk <bunk@stusta.de>

Prev by Date: Re: ITP: spca5xx -- Device driver for USB webcams based on the spca5xx chips
Next by Date: Re: ITP: spca5xx -- Device driver for USB webcams based on the spca5xx chips
Previous by thread: Re: Temporal Release Strategy
Next by thread: Re: Temporal Release Strategy
Index(es):
- Date
- Thread