Re: Trusting Backports and unofficial Repositories
On Sun, 18 Jul 2004 13:41:59 +0200, Jerome wrote in message
> Dear Philipp,
> On Sun, 18 Jul 2004 13:20:50 +0200
> "Philipp" <firstname.lastname@example.org> wrote:
> > 1) Are you using unofficial repositories on production servers ?
> I'm using PHP from dotdeb.org. It provides PHP 4.3.8 and PHP 5.00 for
> woody. The guy who do that work for a french isp, so I think it's
> "safe" I havn't any problem with these packages, I'm using it for a
> year now.-----8<--------
> deb http://packages.dotdeb.org ./
> > 4) What about security.debian.org ? If a vuln is found and
> > security.debian.org gives out a fixes version, and i gave
> > security.debian.org and the unofficial repository in my
> > sources.list, what will happen ?
..the red lines in http://backports.org/changelog.html are the
backport security updates. Also see my response below.
> As the version in unofficial package will be higher, you will stay
> with it. You can force this mechanism with apt-pinning, aptitude or
> with holding package.
..http://backports.org/contribute.html provides "Reduce the Debian
version by one, and add a string like backports.org.1 (prefered one, so
it's clear where this backport comes from) to it, if this is the first
release of that backport. For example, if you backport libfoo_1.2.3-4,
the backport will be libfoo_1.2.3-3.backports.org.1, and you can raise
the last number when you fix bugs in your backports."
> Package in woody, and from security.debian.org are always patch for
> security hole.
..for your local site mirrors of security.debian.org, what do
you guys use?
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.