[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: using sarge on production machines


David Ehle <ehle@agni.phys.iit.edu> wrote:
> IF, I had, say late last year heard that Sarge was going 
> stable REAL SOON,
> and was trying to decide if I was going to go through the hoops being
> described, or just do an early upgrade, since there WAS at the time a
> working security repository for sarge, 
> I might have, Hypothetically, moved
> some of my production systems to Testing. 
> If that had occurred, I might be
> able to tell you that things have gone relativly 
> painlessly and safely.
> But as was pointed out earlier, 
>doing something like that IS kind of iffy,
> so of course, I couldn't do such a thing...

this is exactly my situation!
you described it better then me :)

so there WAS really a security team at that time. I eventually have thought that I had only dreamed or misunderstood something.
but this is not debian-like. I have thought that if they run security updates they will not just stop them again. 

however the situation is as it is. not good for me. 
but I have been very lucky because nothing special happened to my systems until now.
I touch wood that the systems remain secure until the security-team begins its work again :) but this might not be enough. 
also the trust that I put in the debian project might not be enough. although debian sarge is called testing it is relatively stable and most of the time also secure comparing to other distros or even operating systems. but this is not enough. 

If debian sets up a security team for a distro, this persuades admins to upgrade. but then the work is stopped or has to be stopped for what reason does not matter.
I believe that there are very good reasons for the stop (infrastructure issue).
however I think that the debian project should develop a security concept that covers such problems at least partly.
I think even that there are approaches: 
for example the priority with which a package transits from unstable to testing.

Do packages with important security problems (for example: remote execution of arbitrary code) change faster from unstable to testing?
I think this is so but I am not sure...

Are there other debian related sources about securing sarge besides of this?

How does debian deal with the problem?
and specially because of this:
>Running unreleased software on production systems is a touchy issue.
>Most system administrators simply won't admit it.

so, if admins do not admit it. no one talks about it. if no one talks about some thing, does this improve security??

I know that debian has a stable and very secure release but what resources does the debian project give to admins who have done the "mistake" of running sarge too early, because of reasons described above.
what strategies are applied to deal with the problem?

I talk like this because I trust the debian project very much and I also expect very much from it.
the expectations are very high because debian does a very good job.
so there must be some idea around ...

thanks a lot again for the interesting feedback. It has clarified a many things.



Reply to: