Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote:
> also sprach Alvin Oga <aoga@mail.Linux-Consulting.com> [2005.06.28.1451 +0200]:
> > - all other debian boxes does NOT trust it and nbody else should
> > trust it either... it is "for testing and development"
>
> I know. But what happens when someone decides to abuse it? I could
> host a machine, no problem. But giving root access to others is the
> problem.
obviously.. only "trusted" people would have root access
and it is a "security test server" and should encourage others
to try to become root too and to document how they did it and
if its repeatable
---
- there's tasks for the "security team" to do
- there's tasks that anybody can do
---
the point is we all have varying degree of security requirements
and we all can add our methodology and scripts and try to create
a suitable infastructure for "security updates"
wodd or
sarge/stable has security update ( very structured and tested over for
years, which is a good thing
etch/testing.... where are the security patches ??
- i want it to also have latest apps i care about
( latest kernels, latest apache, latest xxx, .. )
- this is the parts i'm interested in structuring for security
updates as some/most security patches are fixed in later releases
from the originating authors/sites and they already maintain
and keep their eyes on all the announced vulnerabilities and
exploits
sid/unstable ... has lots of security updates and updates for apps
- not suitable (??) for ( remote ) production servers
c ya
alvin
Reply to: