Re: Reflecting on users and security updates
[sorry for replying to this very late, but I thought it relevant...]
Op zaterdag 10 mei 2014 00:15:02 schreef Stuart Prescott:
> == sources.list
> Many users of stable releases don't have security.debian.org in the
> sources.list. I can only wildly speculate as to how this happens... if the
> installer doesn't find a network connection at install time it leaves a
> pretty weird looking sources.list and we know lots of people manage to not
> fix properly. The sources.list that the installer leaves in this case is
> certainly sub-optimal.
> Why do we have a separate archive for security at all? "Separate teams" and
> "hysterical raisins" are possible reasons. Not waiting for a mirror pulse to
> push out updates is another. Is there any technical reason right now to not
> copy security updates into the stable release at the next dinstall run
> rather than waiting a few months for a point release? What would be
> required to merge these and simplify life for our users?
There are sometimes good reasons not to install security updates immediately:
- Not all security updates are as critical as the heartbleed bug, and while
the security team has a good track record, it is not 100% perfect in the
area of "no regressions". In large environments, system administrators may
want to evaluate non-critical security updates before applying them
- In some environments, "reproducability of an installation" is much more
important than "security" (e.g., because the system is used as a monitoring
system in a controlled environment that is not connected to the Internet,
where unexpected functionality changes could be life-threatening for the
people using the system). In that area, the ability to point to a point
release and say "install this", without having to qualify things about
security releases, is a feature.
While I agree that disabling security updates should be almost impossible for
novice users, I don't think merging the two repositories is a good idea.
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26