[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New stable version after Sarge

Neil McGovern wrote:
On Tue, Jan 04, 2005 at 02:58:42PM -0500, roberto@familiasanchez.net wrote:

I would strongly caution against using Sarge for a production system
until there is security team support.  See this message I posted to d-u
when someone pointed out that they were running sarge on some servers:



Recently, I've started using testing on production servers.

I subscribe to debian-security (+ d-s-announce) and get reports whenever
there's anything released.
I know what is installed on my boxes, so I know if this announcement
affects me.

You are probably in the minority, then.

If it's been put into unstable, I'll backport the change myself. If it's
not, Then I'll have a look at upstream's solution, and patch as

This is good.

Recently, I did have a box rooted. This was due to a user running phpbb
on the system, without me knowing, despite the policy of no software
without clearance from me.

That really sucks.

There's also not necesarrily a 10 day waiting period if the urgency is
set high.


The only you did not address is when there is a security fix for which
there is not an announcement.  If a package is not already in Woody,
then it is not receiving security team support and will go under the
radar.  Additionally, some maintainers work closely with upstream and
fix the problems almost immediately.  In both of those cases, you would
need to be monitoring the changelog for each of your packages and
watching for security-related changes to packages.

That makes me wonder.  I know that there are tools like cron-apt that
will perform apt-related tasks through cron jobs.  Is there a way to
make it (or another tool) download the changelogs and email you any new

-Roberto Sanchez

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: