Re: Reflecting on users and security updates

To: debian-project@lists.debian.org
Subject: Re: Reflecting on users and security updates
From: Wouter Verhelst <wouter@debian.org>
Date: Sun, 01 Jun 2014 10:20:46 +0200
Message-id: <[🔎] 1549289.HpFJTOQGzh@grep.be>
In-reply-to: <201405100015.03088.stuart@debian.org>
References: <201405100015.03088.stuart@debian.org>

[sorry for replying to this very late, but I thought it relevant...]

Op zaterdag 10 mei 2014 00:15:02 schreef Stuart Prescott:
> == sources.list
> 
> Many users of stable releases don't have security.debian.org in the
> sources.list. I can only wildly speculate as to how this happens... if the
> installer doesn't find a network connection at install time it leaves a
> pretty weird looking sources.list and we know lots of people manage to not
> fix properly. The sources.list that the installer leaves in this case is
> certainly sub-optimal.
> 
> Why do we have a separate archive for security at all? "Separate teams" and
> "hysterical raisins" are possible reasons. Not waiting for a mirror pulse to
> push out updates is another. Is there any technical reason right now to not
> copy security updates into the stable release at the next dinstall run
> rather than waiting a few months for a point release? What would be
> required to merge these and simplify life for our users?

There are sometimes good reasons not to install security updates immediately:

- Not all security updates are as critical as the heartbleed bug, and while
  the security team has a good track record, it is not 100% perfect in the
  area of "no regressions". In large environments, system administrators may 
  want to evaluate non-critical security updates before applying them
  "immediately".
- In some environments, "reproducability of an installation" is much more 
  important than "security" (e.g., because the system is used as a monitoring 
  system in a controlled environment that is not connected to the Internet, 
  where unexpected functionality changes could be life-threatening for the 
  people using the system). In that area, the ability to point to a point 
  release and say "install this", without having to qualify things about 
  security releases, is a feature.

While I agree that disabling security updates should be almost impossible for 
novice users, I don't think merging the two repositories is a good idea.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to:

Next by Date: Debian Maintainers Keyring changes
Next by thread: Debian Maintainers Keyring changes
Index(es):
- Date
- Thread