Re: Trusting Backports and unofficial Repositories
On Sun, 18 Jul 2004 13:20:50 +0200
"Philipp" <firstname.lastname@example.org> wrote:
> 1) Are you using unofficial repositories on production servers ?
I'm using PHP from dotdeb.org. It provides PHP 4.3.8 and PHP 5.00 for woody.
The guy who do that work for a french isp, so I think it's "safe"
I havn't any problem with these packages, I'm using it for a year now.
deb http://packages.dotdeb.org ./
> 4) What about security.debian.org ? If a vuln is found and
> security.debian.org gives
> out a fixes version, and i gave security.debian.org and the unofficial
> repository in my
> sources.list, what will happen ?
As the version in unofficial package will be higher, you will stay with it. You can force this mechanism with apt-pinning, aptitude or with holding package.
Package in woody, and from security.debian.org are always patch for security hole. So I think an old PHP 4.1 from woody is as secure as the last from dotdeb.
Using unofficial is to get more "new" features.
Hommelix 12 Me 201 aka Jerome Vandenabeele