Neil McGovern wrote:
On Tue, Jan 04, 2005 at 02:58:42PM -0500, roberto@familiasanchez.net wrote:I would strongly caution against using Sarge for a production system until there is security team support. See this message I posted to d-u when someone pointed out that they were running sarge on some servers: http://lists.debian.org/debian-user/2004/12/msg03846.htmlInteresting. Recently, I've started using testing on production servers. I subscribe to debian-security (+ d-s-announce) and get reports whenever there's anything released. I know what is installed on my boxes, so I know if this announcement affects me.
You are probably in the minority, then.
If it's been put into unstable, I'll backport the change myself. If it's not, Then I'll have a look at upstream's solution, and patch as required.
This is good.
Recently, I did have a box rooted. This was due to a user running phpbb on the system, without me knowing, despite the policy of no software without clearance from me.
That really sucks.
There's also not necesarrily a 10 day waiting period if the urgency is set high. Neil
The only you did not address is when there is a security fix for which there is not an announcement. If a package is not already in Woody, then it is not receiving security team support and will go under the radar. Additionally, some maintainers work closely with upstream and fix the problems almost immediately. In both of those cases, you would need to be monitoring the changelog for each of your packages and watching for security-related changes to packages. That makes me wonder. I know that there are tools like cron-apt that will perform apt-related tasks through cron jobs. Is there a way to make it (or another tool) download the changelogs and email you any new ones? -Roberto Sanchez
Attachment:
signature.asc
Description: OpenPGP digital signature