On Tue, Oct 23, 2018 at 10:05:35PM +0200, Tollef Fog Heen wrote:
We should not be in the business of distributing known-vulnerable software. There are practical considerations around point releases and such which makes this not-really-true for a period of time after there's a security update out, but this gets converged at each point release. If you look cdimage.d.o, we are only distributing the latest point release. I think the same standard should apply to cloud images.
It does; they are distributing the latest (lastest) point release. As you already stipulated, this is no different than the normal state of stable, which is only secure if you update & upgrade with security sources.list entry.
IMO, the main benefits of point releases are that 1) they reduce the amount you need to download if you are installing from an iso and 2) they are an opportunity to introduce *non* security updates into stable. I'm not sure that either of these are relevent in the context of this thread.
Mike Stone