On Tue, 2003-01-07 at 15:23, Adrian 'Dagurashibanipal' von Bidder wrote: > On Tue, 2003-01-07 at 19:16, Noah L. Meyerhans wrote: > > On Tue, Jan 07, 2003 at 05:08:23PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote: > > > So the version from testing should do. You may want to download the > > > source package and compile it yourself to avoid having to upgrade > > > dependencies (I don't know, just speculating). > > > > Why tell him that? What the hell is wrong with the version of openssl > > from security.debian.org? There are no known security vulnerabilities > > there. > > > > Advising somebody to install packages from *testing* to get security > > updates is very unwise. Doing so would prevent them from getting a new > > version of the package in the event that it's updated by the security > > team again. > > Some might feel more comfortable with installing a package from testing > than with modifying version checks in a configure script. But I agree > that I probably should have said that testing, of course, does not have > security support as do the stable versions. > > cheers > -- vbi Depending on when the notice came out, Testing may be the *WORST* choice for security fixes - very few packages have moved from Unstable to Testing for a couple months now, due to conversion to GCC 3.2 in Sid among other things, and Security updates are generally only made to Stable, Old-Stable, and Unstable - which then propogates to Testing. Because of this roadblock in Sid, Sarge is noticeably behind on security fixes. If you want to build from up-to-date sources with the hope of the security fix for anything, go to Sid, otherwise, use security.debian.org and stay with the Debian practice of back-porting security fixes whenever necessary. -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: kahnt@hosehead.dyndns.org
Attachment:
signature.asc
Description: This is a digitally signed message part