Security support on tier-2 (was: Re: COUNT(buildd) IN (2,3))
On Monday 14 March 2005 20:07, Julien BLACHE wrote:
> Stephen Gran <sgran@debian.org> wrote:
> >> > Thus the problem is less in the development and more in the support
> >> > of testing requirements (all arches in sync) and stable support
> >> > (security response time). Therefore the N<=2 requirement is only
> >> > needed for tier-1 arches but not for the tier-2 which will not
> >> > officially release a stable.
> >>
> >> What is the detailed reasoning for this requirement anyway ?
> >
> > I thought that was fairly clear - a 12 day build of a security fix is
> > unacceptable, especially since it hampers getting that fix out the door
> > for everyone else.
>
> Then we have to adjust our security support policy. Define Tier-1
> archs for security support, release updates for them first. Then for
> the others. I fail to see how this could be a problem.
The problem for me is on machines (like my old sparc nameserver, providing
service for 1500 users, being attacked multiple times a day) where receiving
a security update days later[1] is no option. Having sparc in tier-1 without
zero-day security updates would be no use to me, because I couldn't honestly
say that "all tier-1 architectures are fit for production use and properly
supported by Debian."
I don't know what to do with tier-1.5 arch fulfilling everything except prompt
security updates.
Regards, David
[1] Time to Exploitation after announcement is going down to hours. Attack
rates are in the some-per-hour range. Prototype flashworm simulations reach
99% infection in seconds. And I don't see how it is getting any better.
--
- hallo... wie gehts heute?
- *hust* gut *rotz* *keuch*
- gott sei dank kommunizieren wir über ein septisches medium ;)
-- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
Reply to: