Re: Reflecting on users and security updates
On 05/09/2014 16:15, Stuart Prescott wrote:
> == sources.list
>
> Many users of stable releases don't have security.debian.org in the
> sources.list. I can only wildly speculate as to how this happens... if the
> installer doesn't find a network connection at install time it leaves a pretty
> weird looking sources.list and we know lots of people manage to not fix
> properly. The sources.list that the installer leaves in this case is certainly
> sub-optimal.
What do they end with in sources.list? It would probably be nice if
there were entries like
# deb http://http.debian.org/debian wheezy main
# deb http://security.debian.org/debian-security wheezy/updates main
(with comments) in case no network mirror is added by the installer.
Maybe with a comment asking to enable *both* if network is accessible.
> Why do we have a separate archive for security at all? "Separate teams" and
> "hysterical raisins" are possible reasons. Not waiting for a mirror pulse to
> push out updates is another. Is there any technical reason right now to
> not copy security updates into the stable release at the next dinstall run
> rather than waiting a few months for a point release? What would be required
> to merge these and simplify life for our users?
Some reasons are:
The "stable" suite is signed with an offline signing key. It cannot be
easily changed.
Security updates should be delivered via fast and (more) secure mirrors.
If someone grabs a security update for, say, ssh it is likely he is
vulnerable. Delivering security updates via a trusted mirror network
reduces that risk.
The security archive contains updates covered by embargoes that should
not be leaked. Log files and database replica for the main archive are
more or less public. (Arguably one could have a private archive for just
embargoed issues and push to the main archive to release them.)
Having two archives makes it possible to release updates should one
break. ;)
And of course all the historic reasons.
Ansgar
Reply to: