[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Food for thought - SECURITY (design flaw?)

Andrea Glorioso (sama@aglorioso.com) wrote on 11 February 2001 11:07:
 >>>>>> "Laz" == Lazarus Long <lazarus@overdue.dhis.net> writes:
 >    Laz> Something seems "not quite right" with choosing
 >    Laz> woody/testing, as "safer" than sid.
 >If you want security, stick with potato. Bleeding-edge software (or
 >near bleeding-edge software) rarely can give you the kind of
 >security assurance that you need if you put a security.debian.org
 >line in your /etc/apt/sources.list.

But it would if security patches were incorporated in testing as well.
So I agree with Laz that it's a design bug.

Note that we're talking about security-relevant packages, which are a
small portion of the total.

A question: with the change to the pool directories, is testing on the
new scheme or only unstable?

Another IMPORTANT question, how can it be that packages have newer
versions in testing than unstable, eg. man-db????

I'm really lost with all of this. I usually upgrade using dftp,
configured to look at dists/woody/main, dists/woody/contrib,
dists/woody/non-free from ftp.us.debian.org. I recently tried to use
apt via dselect, and it gets older versions of packages!! It reports
many "obsolete" installed packages because the versions it gets are
older than the installed ones :-( It's not a config problem in apt, I
checked it looking at the Packages file with the browser...

I'm sending this to the sec list because it has security implications,
eg. the man-db affair.

Reply to: