RE: possible hole in mozilla et al

To: <debian-security@lists.debian.org>
Subject: RE: possible hole in mozilla et al
From: "Jeff" <jaa.debian@aquabolt.com>
Date: Thu, 9 May 2002 09:04:17 +0100
Message-id: <[🔎] 000f01c1f730$32ddeba0$3264a8c0@kursa>
In-reply-to: <[🔎] 5.1.0.14.0.20020508184617.00ac1d50@64.19.35.130>

> Coming from a corporate environment I hardly feel that stable is
ancient. 

Also coming from a corporate environment, and one specifically focused
on web technologies, I disagree. We have been forced to mix
stable/testing to get basic fixes in things like Apache. Another thing
that really irritates is that the commercial and non-commercial security
scanning tools throw lots of 'this version is insecure' false positives
which all have to be investigated and ticked once proof of patch has
been established, and we run such scanning frequently.

> But with Debian I can point to the unstable-testing-stable system and
my 
> boss understands that it has already gone through a 'teething' period 
> before it's released.

This is also one reason that we use Debian - though more important to us
is the improved security through fine-grained package control.

> If Debian were to accelerate the path to stable too much stable would
loose 
> it's value to us. (unless security fixes were released for older
stable 
> versions)

The opposite is true of our company - stable lags so far behind now that
we have been forced to combine stable/testing/unstable - not only in
things like Apache, but even in basics like the use of netfilter
stateful firewalling in the 2.4 kernel series.

I agree with Tim Uckden's comments - we don't need bleeding edge, but we
also don't need
some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb
holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc.

We would be over the moon to have a mini-stable that only contained core
packages, and that kept better pace with the real world.

-----Original Message-----
From: James Morgan [mailto:jmmorgan@morgan-consulting.com] 
Sent: 09 May 2002 01:30
To: debian-security@lists.debian.org
Subject: Re: possible hole in mozilla et al

At 15:38 2002-05-08 -0600, Tim Uckun wrote:
>The situation right now is that for production you run an ancient
system 
>or cross your fingers, hold your breath and run unstable.

Coming from a corporate environment I hardly feel that stable is
ancient. 
With most commercial operating systems the quality control seems so poor
it 
takes a few years before we feel comfortable moving to a new release.
But with Debian I can point to the unstable-testing-stable system and my

boss understands that it has already gone through a 'teething' period 
before it's released.
If Debian were to accelerate the path to stable too much stable would
loose 
it's value to us. (unless security fixes were released for older stable 
versions)

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- RE: possible hole in mozilla et al
  - From: Tim Uckun <tim@diligence.com>

References:
- Re: possible hole in mozilla et al
  - From: James Morgan <jmmorgan@morgan-consulting.com>

Prev by Date: Re: possible hole in mozilla et al
Next by Date: Re: tcp syn flood and /proc configuration
Previous by thread: Re: possible hole in mozilla et al
Next by thread: RE: possible hole in mozilla et al
Index(es):
- Date
- Thread