Hello. rich: > What I don't understand is why it is so horrendously insecure to run > testing - as I understand it when a vulnerability is found, a new > version of the program is normally released which fixes the problem. AFAIK, the catch is that the Debian Security Team is maintaining stable - so when a vulnerability *in a stable package* is found, then the Security Team issues a patch (and a debian-security-announce email). If a vulnerability is in a package that is not in stable (or does not affect the stable version of a package), you have to wait until the maintainer packages the new upstream version or patches the package himself. Only the packages in stable, and only these particular versions are under the careful eye of the Security Team; this is a lot less than testing currently holds. > This new version is built by the debian team & put into unstable and > then after a bit (do I remember reading somewhere that it used to take > 10 days but is now more like 2?) migrates into testing. Surely that > means the longest you're likely to be vulnerable is 10 days? Again - AFAIK, this is 10 days by default, shorther if the package is urgency=high, but then longer if there are some unresolved dependencies, the package is not in sync in other architectures (not sure about this one), hase some RC bugs and so on, not to mention the responsiveness of the maintainer in the first place. So it's not that simple, unfortunately. Cheers, -- Shot, running sid :o) -- When the coughing increases, I leave out the next variation. If there is no coughing, I play them in order. The record so far is 18 variations, in New York. -- Sergei Rachmaninoff on his 20 Corelli Variations ================================================ http://shot.pl/hovercraft/ ===
Attachment:
signature.asc
Description: Digital signature