Re: Conflict re Debian Testing security updates?

[Chris Game <chrisgame@pobox.com>]

Thanks for the speedy reply, Ben. It seems that whether security
updates are applied in Sid is dependent on the package maintainer
being available and willing to do that in a timely way, so must be
more uncertain than Stable which receives updates from the Security
Team (if this wasn't the case the Security Team would be redundant).

So hardly a secure flavour of Debian, which is no doubt why the
advice is to use Stable or check the security status from the
appropriate list - not always practical.

The Debian Testing wiki entry is still confusing in my view, and
would benefit from including some of the information in the
reference you gave.

Regards, Chris Game

On Fri, 14 Dec 2012, Ben Armstrong wrote:

> On 12/14/2012 10:19 AM, Chris Game wrote:
> > Your information on the Debian Testing wiki page
> > http://wiki.debian.org/DebianTesting that:
> >
> > "Compared to stable and unstable, next-stable testing has the worst
> > security update speed.  Don't prefer testing if security is a
> > concern."
> >
> > - seems in conflict with the info on the Debian Security FAQ:
> >
> > Q: How is security handled for unstable?
> >
> > A: The short answer is: it's not. Unstable is a rapidly moving
> > target and the security team does not have the resources needed to
> > properly support it. If you want to have a secure (and stable)
> > server you are strongly encouraged to stay with stable.
> >
> > So is unstable/sid receiving security updates or not?
>
> That's a whole different question which is answered here:
>
> http://wiki.debian.org/DebianUnstable#Does_sid_have_security_updates.3F
>
> And yes, if the maintainer uploads a bug fix promptly, that can be
> quicker than getting the fix in testing through the security team. I
> don't see how these two statements conflict.
>
> Ben