[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reflecting on users and security updates

[sorry for replying to this very late, but I thought it relevant...]

Op zaterdag 10 mei 2014 00:15:02 schreef Stuart Prescott:
> == sources.list
> Many users of stable releases don't have security.debian.org in the
> sources.list. I can only wildly speculate as to how this happens... if the
> installer doesn't find a network connection at install time it leaves a
> pretty weird looking sources.list and we know lots of people manage to not
> fix properly. The sources.list that the installer leaves in this case is
> certainly sub-optimal.
> Why do we have a separate archive for security at all? "Separate teams" and
> "hysterical raisins" are possible reasons. Not waiting for a mirror pulse to
> push out updates is another. Is there any technical reason right now to not
> copy security updates into the stable release at the next dinstall run
> rather than waiting a few months for a point release? What would be
> required to merge these and simplify life for our users?

There are sometimes good reasons not to install security updates immediately:

- Not all security updates are as critical as the heartbleed bug, and while
  the security team has a good track record, it is not 100% perfect in the
  area of "no regressions". In large environments, system administrators may 
  want to evaluate non-critical security updates before applying them
- In some environments, "reproducability of an installation" is much more 
  important than "security" (e.g., because the system is used as a monitoring 
  system in a controlled environment that is not connected to the Internet, 
  where unexpected functionality changes could be life-threatening for the 
  people using the system). In that area, the ability to point to a point 
  release and say "install this", without having to qualify things about 
  security releases, is a feature.

While I agree that disabling security updates should be almost impossible for 
novice users, I don't think merging the two repositories is a good idea.

It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to: