[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New stable version after Sarge

On Tue, Jan 04, 2005 at 07:45:12PM -0500, Roberto Sanchez wrote:
> >I subscribe to debian-security (+ d-s-announce) and get reports whenever
> >there's anything released.
> >I know what is installed on my boxes, so I know if this announcement
> >affects me.
> >
> You are probably in the minority, then.

Yes, probably, but I'm using testing, which isn't supported by the
standard security team.
Therefore, it's now my sole reponsibility to look at security changes.

> >Recently, I did have a box rooted. This was due to a user running phpbb
> >on the system, without me knowing, despite the policy of no software
> >without clearance from me.
> >
> That really sucks.

Yup. It's annoying to have to travel down to London because of it. The
user was suitably 'chastised' :)

> The only you did not address is when there is a security fix for which
> there is not an announcement.  If a package is not already in Woody,
> then it is not receiving security team support and will go under the
> radar.  Additionally, some maintainers work closely with upstream and
> fix the problems almost immediately.  In both of those cases, you would
> need to be monitoring the changelog for each of your packages and
> watching for security-related changes to packages.

These normally crop up in either:
* security list and/or
* various irc channels

However, it's not something that I would expect a normal user to do. But
I woudn't be expecting a normal user to be using testing for a
production system.

> That makes me wonder.  I know that there are tools like cron-apt that
> will perform apt-related tasks through cron jobs.  Is there a way to
> make it (or another tool) download the changelogs and email you any new
> ones?

Would be worth writing, but IMO a list with various people looking at
different changelogs is just as reliable. Like various lists already out
there :)

Warm regards,
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3

Attachment: signature.asc
Description: Digital signature

Reply to: