[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Food for thought - SECURITY (design flaw?)



On Mon, Feb 12, 2001 at 10:43:33AM -0200, Carlos Carvalho wrote:
> Andreas Tille (tillea@rki.de) wrote on 12 February 2001 11:32:
>  >IMHO people of security team shouldn't spend their time to serve
>  >security fixes for testing.  People who want to use testing on
>  >security relevant machines should know what they do and should be
>  >able to handle those issues themselves.  Those hazardeurs could try
>  >to fix important bugs of the package which is stick to unstable for
>  >whatever reason which would help the whole distribution or backport
>  >the stuff themself.
> What's the purpose of testing exactly? If it's a preparation for
> becoming stable it should obviously include the security fixes,
> otherwise when the transition testing -> stable happens you're...

It does include security fixes, it merely doesn't include them in as
timely a manner as security.d.o provides for stable.

This is fine for release purposes, but possibly not so fine for people
actually running testing.

(Note that security updates for unstable aren't necessarily timely either;
there hasn't been an update for bind for m68k made available, eg. This
mightn't bother you if you're running i386, but it can be a problem on
other architectures. testing "suffers" from a least-commond-denominator
sort of problem wrt this.)

> If this issue isn't explained I'll just move to unstable and ignore
> testing, because going back to stable is no option.

If you're using stable, you can just point apt at security.d.o and not
have to worry about anything much. You also get a single list to monitor
for security issues. In principle.

If you're using testing, you can watch out for security updates, and only
have to worry about occassional problems and inconsistencies: you don't
end up with perl broken, eg (at least so far :). You have to get some of
these updates from unstable, or build them yourself, which is difficult
(at least while apt 0.4 is unreleased).

If you're using unstable, you don't get any assurances at all, but fixes
generally come out fairly quickly.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

``_Any_ increase in interface difficulty, in exchange for a benefit you
  do not understand, cannot perceive, or don't care about, is too much.''
                      -- John S. Novak, III (The Humblest Man on the Net)

Attachment: pgpMcCGMG4uSY.pgp
Description: PGP signature


Reply to: