On Thu, Nov 14, 2002 at 07:45:34AM +0700, Jean Christophe ANDRÉ imagined: > Raymond Wood écrivait : > > Jean Christophe ANDRÉ remarked: > > > Raymond Wood écrivait : > > > > Respectfully, does anyone know when Sid will receive > > > > patches for the previous Apache vulnerabilities that > > > > were fixed for Potato and Woody, but not Sid? It's been > > > > days... Raymond > > > Because Sid's aim is to allow you to test bugs... and enjoy > > > viruses! <g> ;-) > > That was not my question - read again if you must. > I read it again, my answer was right for your pure question! :) > [...] > > The relevant DSA in question itself stated something to the > > effect 'a fix for Sid will appear soon'. At this point I am > > wondering how soon or how late: I mean are we talking about > > days or weeks at this point? > Ok, I was wrong because of ignoring this, my apology. > > Cheers, J.C. My apology also -- I had no intention of trying to upset anyone. I'm just trying to get an approximate answer to a general question. So no worries. The question is obviously an unpopular one :) It seems many Debian people are fond of claiming that Debian's software versions aren't so far behind the other commercial distributions because "you can always use Sid if you need the latest versions". This has worked quite well for me, and others I know, and know of, who want to run something a little more current on our desktops. From a security perspective, this has also worked rather well in cases when security vulnerabilities have been addressed by the DSA's that are issued. Even though Sid is officially not supported by the security team, still 99 times out of a hundred, a patch or new version will appear in Sid quite promptly (I don't know if these are usually done by the security team or not). So there is usually very little risk for those running Sid on their desktops, if they are careful, in my experience. This latest episode that I'm asking about now seems different though. Patches were issued for *multiple* Apache problems in Potato and Woody, and ... nothing happens in Sid. Well, this is a 'first' for me. Perhaps I am finally just getting to know Sid a little better than I did before ;) Perhaps the security vulnerabilities are somehow not as serious as in other cases (i.e. hard/impossible to exploit). I just don't know. Anyway, since asking this question seems to cause grief for both myself and others on this list, this be the the last time I am going to mention it. I'll take it as a lesson learned if I have to. I will, however, continue to find it strange that there is seemingly so little desire (on this list anyway) to address Sid's current status with respect to this particular Apache vulnerability -- quite apart from the policy of which we're all aware, that Sid is not ever guaranteed security patches. It seems like a reasonable concern to me, for a security list. My $0.02, Raymond -- "You deserve to be able to cooperate openly and freely with other people who use software. You deserve free software." -Richard M. Stallman, Free Software Foundation, http://www.fsf.org
Attachment:
pgpixkag1BiID.pgp
Description: PGP signature