[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

Okay, this has gone far enough.  The reason that s.d.o only deals with 
stable is that stable is the only part of Debian that by it's nature 
cannot change.  For unstable (and now testing) if there's a security bug, 
any DD can put up a NMU if it's severe enough, or the regular maintainer 
can fix it in a [relatively] short amount of time. It's just not feasable 
to expect a change to propagate in stable, because stable doesn't change 
at all, except in very small spurts: there have been 5 revisions to 
potato in the last [going on 2] years.  THIS is the reason that there's no 
s.d.o support for testing and unstable.  So when woody becomes stable, 
there WILL be s.d.o support for woody, because woody won't change.  Unitl 
they become [stagnant,stable], there is just not enough reason to have 
s.d.o support for a distribution.


On Mon, 14 Jan 2002, Micah Anderson wrote:

>On Mon, 14 Jan 2002, Daniel Polombo wrote:
>
>> Adam Warner wrote:
>
>> Well, maybe you should follow Tim's advice and go check the security team's 
>> FAQ :
>> 
>>    Q: How is security handled for testing and unstable?
>> 
>>    A: The short answer is: it's not. Testing and unstable are rapidly moving
>>       targets and the security team does not have the resources needed to
>>       properly support those. If you want to have a secure (and stable)
>>       server you are strongly encouraged to stay with stable.
>> 
>> Of course, if you're using unstable, fixes tend to appear quickly, but :
>> 
>> - "tend to" is not acceptable when security is concerned
>> - it may take a lot more time depending on your local mirror
>
>
>As woody draws closer and closer to being stable, and potato draws
>closer and closer to the legendary dinosaurs which roamed the earth
>with regards to its outdated software, perhaps this comittment to
>woody's security could be revisted. I would be surprised if a lot of
>the criticsm that is coming out on this issue is not related to the
>fact that a lot of people have moved from potato to woody because they
>cannot continue to use potato due to the requirements of certain
>software or underlying libraries, and are thus burned by this security
>policy.
>
>Lets face it, potato has some ancient software that is getting
>outdated, you can hardly find any software that uses db2 anymore, and
>it is not trivial to backport from db3, the version of perl makes
>usage and installation of anything that was done in the last 5 years
>difficult... potato is great, if you want to only use the packages
>which come with it, it is great as a server which doesn't need any
>changes, but if you want to do anything semi-new, or outside of the
>package scope, you have to move to woody, or just wait. With that
>movement comes a significant loss in security policy. 
>
>Now that woody draws near to being stable, perhaps the policy can be
>altered to accomodate for that. 
>
>Micah
>
>
>

-- 
void hamlet()
{#define question=((bb)||(!bb))}

Who is John Galt?  galt@inconnu.isu.edu. that's who!
Reply to: