Re: What is best practice for managing sources.list for security and stability?
On Mon, May 25, 2009 at 11:49:26AM -0700, john wrote:
> Hi all,
>
> Perhaps this is a "it depends..." kind of question but here it goes:
>
> I manage several Debian boxes running Etch and Lenny. I installed
> Debian because I want long term stability and support for the
> applications
> running on the servers. After I build a box and get my applications
> tweaked I usually comment out everything except the security entries
> like so:
>
> cat /etc/apt/sources.list
>
> #deb http://ftp.us.debian.org/debian/ etch main
> #deb-src http://ftp.us.debian.org/debian/ etch main
>
> deb http://security.debian.org/ etch/updates main contrib
> deb-src http://security.debian.org/ etch/updates main contrib
>
> The recent key-change forced me to use the main stable repos to get
> the new keys (e.g apt-get install debian-archive-keyring )
> . and got me thinking...
>
> Is the approach I outlined the "best" way to maintain the security and
> stability of these box's or should I really be using the main
> repositories as well?
We maintain local mirrors of the main and security repos for the
varieties of Debian we use (Etch and Lenny in i386 and AMD64
flavors) plus a local repo of our own packages. All this can be
considered staging: we can pull from it for a test box, and if
it goes well, move the package into our production repo.
This costs a bit in disk space (but not so much as it once did!)
and saves a bit in bandwidth, which is really pronounced as
"works faster when we need it".
-dsr-
--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.
Reply to: