Re: [OT] Release cycle - was Re: My machine was hacked - possibly via sshd?
On Wed, 30 Mar 2005, Malcolm Ferguson wrote:
> David Pastern wrote:
...
> >The only way to fix a problem is for everyone to discuss it, and that
> >means the users and not just the developers.
> >
>
> I completely agree that this needs to be discussed, but is a Debian
> security list the right forum?
discussed is good ... as long as the points are valid and true
if it's an opinion, that is okay too but should NOT be imposed on others
- for the security iss of sshd ..
- it sounds like it was a "computer and network security policy"
issue more than a specific sshd problem
- security is NOT just the availability of the latest or stable apps
long release cycles is good for some
daily release cycles is good for others
"testing" is available for everybody ( daily ) .. users and developers ...
so there is no reason why everybody cannot be running the lastest
and greatest
the only distinction between users and developers, is that
maybe a user cannot check in changes and updates
otherwise, all users have access to everything
- if you want daily updates ..
you probably do have the time to test things daily
- if there was a known ssh exploit or apache or any other problem, even
old stable versions are patched when its critical enough
- if *you* think that this app needs to be updated in the other versions,
*you* can update it yourself at anytime to prevent that vulnerability
from being exploited, but if the "team" didn't think it was important
enough, does not mean that they should do so, or that the distro is bad
- personally, i always upgrade to the latest greatest of
just about everything i consider important .. as there is not
a single distro has the "latest" of what i want
> It's clear that Debian is used for different purposes and one size might
> not fit all.
yyp
> Personally I like long release cycles. I can't stand
> constantly tinkering with my systems.
tinkering is good for development and testing and those that like to
tinker
tinkering is bad for production boxes
i mix and match as needed, and depending on who's box it is,
the oldest servers is over 4yrs old and the newest servers
are at most a day old
c ya
alvin
Reply to: