[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security support on tier-2 (was: Re: COUNT(buildd) IN (2,3))

On Monday 14 March 2005 20:07, Julien BLACHE wrote:
> Stephen Gran <sgran@debian.org> wrote:
> >> > Thus the problem is less in the development and more in the support
> >> > of testing requirements (all arches in sync) and stable support
> >> > (security response time). Therefore the N<=2 requirement is only
> >> > needed for tier-1 arches but not for the tier-2 which will not
> >> > officially release a stable.
> >>
> >> What is the detailed reasoning for this requirement anyway ?
> >
> > I thought that was fairly clear - a 12 day build of a security fix is
> > unacceptable, especially since it hampers getting that fix out the door
> > for everyone else.
> Then we have to adjust our security support policy. Define Tier-1
> archs for security support, release updates for them first. Then for
> the others. I fail to see how this could be a problem.

The problem for me is on machines (like my old sparc nameserver, providing 
service for 1500 users, being attacked multiple times a day) where receiving 
a security update days later[1] is no option. Having sparc in tier-1 without 
zero-day security updates would be no use to me, because I couldn't honestly 
say that "all tier-1 architectures are fit for production use and properly 
supported by Debian."

I don't know what to do with tier-1.5 arch fulfilling everything except prompt 
security updates.

Regards, David

[1] Time to Exploitation after announcement is going down to hours. Attack 
rates are in the some-per-hour range. Prototype flashworm simulations reach 
99% infection in seconds. And I don't see how it is getting any better.
- hallo... wie gehts heute?
- *hust* gut *rotz* *keuch*
- gott sei dank kommunizieren wir über ein septisches medium ;)
 -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15

Reply to: