[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security warnings (on unstable)

On Wed, Oct 01, 2003 at 11:17:40 +0200, Christian Jaeger wrote:
> What's the best way to let machines (running unstable) to warn me about
> pending upgrades marked as security relevant (or just relevance high)?

http://www.debian.org/security/faq#testing :
"Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving
targets and the security team does not have the resources needed to properly
support those. If you want to have a secure (and stable) server you are
strongly encouraged to stay with stable. However, the security secretaries
will try to fix problems in testing and unstable after they are fixed in the
stable release."

Thus, if you need to handle security issues for a machine running unstable,
your best bet is to
- Subscribe to debian-security-announce to get the security advisories for
  stable, then determine if the issue affects unstable, and, if so, check
  unstable and incoming.debian.org for fixed packages or make them yourself.
- Subscribe to debian-devel to follow unstable-specific security issues

That said, IMHO if you think about deploying unstable in an ISP setting you
should step back and take a very, very good look at why you are even
thinking about that. For an ISP, what you want is reliability and stability.
Stable (if necessary augmented with selective backports or additions from
apt-get.org) will give you that, unstable wont.

Outlook Express is free, and also sometimes lets strangers share your hard
disk - is this anarchism?
	The Register's Graham Lea commenting on Steve Balmer's comparison of
	Linux to communism in http://www.theregister.co.uk/content/1/12266.html

Reply to: