[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting Backports and unofficial Repositories

On Sun, 18 Jul 2004 13:41:59 +0200, Jerome wrote in message 
<[🔎] 20040718134159.5122c2f8@localhost>:

> Dear Philipp,
> On Sun, 18 Jul 2004 13:20:50 +0200
> "Philipp" <mailinglists@oberberg.net> wrote:
> > 1) Are you using unofficial repositories on production servers ?
> I'm using PHP from dotdeb.org. It provides PHP 4.3.8 and PHP 5.00 for
> woody. The guy who do that work for a french isp, so I think it's
> "safe" I havn't any problem with these packages, I'm using it for a
> year now.-----8<--------
> deb http://packages.dotdeb.org ./
> -----8<--------
> >
> > 4) What about security.debian.org ? If a vuln is found and
> > security.debian.org gives out a fixes version, and i gave
> > security.debian.org and the unofficial repository in my 
> > sources.list, what will happen ?

..the red lines in http://backports.org/changelog.html are the
backport security updates.  Also see my response below.

> As the version in unofficial package will be higher, you will stay
> with it. You can force this mechanism with apt-pinning, aptitude or
> with holding package.

..http://backports.org/contribute.html provides "Reduce the Debian
version by one, and add a string like backports.org.1 (prefered one, so
it's clear where this backport comes from) to it, if this is the first
release of that backport. For example, if you backport libfoo_1.2.3-4,
the backport will be libfoo_1.2.3-3.backports.org.1, and you can raise
the last number when you fix bugs in your backports."
> Package in woody, and from security.debian.org are always patch for
> security hole. 

..for your local site mirrors of security.debian.org, what do 
you guys use?

..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Reply to: