Re: Please upload signed kernel images at the same time as unsigned ones
On Mon, 23 Jan 2017 at 13:57:02 +0100, Jan Ingvoldstad wrote:
> On Mon, Jan 23, 2017 at 6:09 AM, Ben Hutchings <[1]ben@decadent.org.uk> wrote:
>
> And if you insist you want fixes a.s.a.p. you should be using unstable
>
>
> Didn't you mean to write "stable", there?
>
> Unstable often gets security fixes later than stable.
Either stable-security or unstable.
Unstable is not consistently faster than stable-security, but neither is it
consistently slower. In particular, stable-security doesn't get minor
security fixes (those that don't justify a DSA) at all.
Both unstable and stable-security are usually updated sooner than
testing, which is updated sooner than backports (assuming maintainers
are following the normal backports procedure and not fast-tracking in
security-fix versions from unstable). The kernel maintainers presumably
don't have the necessary resources to be able to fast-track security-fix
versions of the kernel into backports without causing unacceptably many
regressions.
Stable (I'm not counting the extra security apt source as part of stable
here) gets most security fixes from unstable, but not all, and is updated
very slowly - that's sort of the point. It has a greater time-lag than
either testing or backports.
If you want *kernel* fixes, specifically, as fast as possible, then you
should be using kernels from unstable or directly from upstream.
The price you pay for that is that you are also getting exciting new
regressions (and in the case of upstream kernels, no support from
Debian, because there's a limit to how many configurations Debian
has the resources to support).
The bottom line is that the more regressions you are prepared to put
up with, the sooner you can have new things. The various Debian suites
are all compromises, because there is no perfect solution that would
give you the ideal situation (all the security fixes, none of the
regressions).
S
Reply to: