Re: Debian security being trashed in Linux Today comments

To: Daniel Polombo <polombo@cartel-info.fr>
Cc: debian-security@lists.debian.org
Subject: Re: Debian security being trashed in Linux Today comments
From: Adam Warner <lists@consulting.net.nz>
Date: 15 Jan 2002 12:09:01 +1300
Message-id: <[🔎] 1011049741.17593.0.camel@web>
In-reply-to: <[🔎] 3C42D212.6030508@cartel-info.fr>
References: <[🔎] 1011009156.6375.0.camel@web> <[🔎] 86sn99uohd.fsf@potato.vegetable.org.uk> <[🔎] 1011010773.6305.2.camel@web> <[🔎] 3C42D212.6030508@cartel-info.fr>

On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
> Adam Warner wrote:
> 
> > On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> 
> >>Some of us wouldn't dare say such things without at least reviewing the
> >>given distro's security policy, FAQ and history.
> 
> > But I was really impressed that updates for unstable/testing were
> > released at the same time. For those of us that use/test the bleeding
> > edge on our systems it's a great reassurance to see the security team
> > giving consideration to the security of testing/unstable.
> 
> Well, maybe you should follow Tim's advice and go check the security team's FAQ :

Weren't my comments enough for you to to be able to interpret WHY I said
I was "really impressed"? I have known and understood the security FAQ
for a long time Daniel.

>     Q: How is security handled for testing and unstable?
> 
>     A: The short answer is: it's not. Testing and unstable are rapidly moving
>        targets and the security team does not have the resources needed to
>        properly support those. If you want to have a secure (and stable)
>        server you are strongly encouraged to stay with stable.

http://www.debian.org/security/2002/dsa-097

"This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution."

Oops the security team breached their FAQ :-)

> Of course, if you're using unstable, fixes tend to appear quickly, but :
> 
> - "tend to" is not acceptable when security is concerned
> - it may take a lot more time depending on your local mirror

Which is why I uncommented the main distribution sites in sources.list
and got the updates for testing/unstable right away. That's why I was
impressed. Because I am aware of the FAQ.

Still I hope such care about the security of testing/unstable continues
and note the comments of John Galt.

I have noticed many instances where unstable has been secure when stable
has not (before an update). Bugs that are found in Potato are not always
relevant to the quick moving new binaries and code in unstable.

I feel happy about the security of my unstable systems and am not aware
of any vulnerabilities that I have read about at Linux Weekly News that
presently affect my installations. I have had to keep up with a few
fixes to Zope in the past but there was a huge Python transition being
undertaken at the time.

Regards,
Adam

Reply to:

References:
- Debian security being trashed in Linux Today comments
  - From: Adam Warner <lists@consulting.net.nz>
- Re: Debian security being trashed in Linux Today comments
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Debian security being trashed in Linux Today comments
  - From: Adam Warner <lists@consulting.net.nz>
- Re: Debian security being trashed in Linux Today comments
  - From: Daniel Polombo <polombo@cartel-info.fr>

Prev by Date: Re: Once again: Spam (from hananet.net, korea)
Next by Date: Re: Asking for documentation help (Re: IPSec questions...)
Previous by thread: Re: Debian security being trashed in Linux Today comments
Next by thread: Re: Debian security being trashed in Linux Today comments
Index(es):
- Date
- Thread