Re: Current bullseye security and stability

To: debian-testing <debian-testing@lists.debian.org>
Subject: Re: Current bullseye security and stability
From: MichaIng <micha@dietpi.com>
Date: Sat, 16 Jan 2021 21:11:32 +0100
Message-id: <[🔎] 6baa5ed1-5401-9b86-0f50-167d2d10b9fd@dietpi.com>
In-reply-to: <[🔎] 87lfcsrhfy.fsf@disroot.org>
References: <[🔎] 87pn2763ak.fsf@disroot.org> <[🔎] 818e323e-5169-39f7-26b7-9d7c3a65d29d@syt.net> <[🔎] bcb1049c-8d44-34e2-7fe0-65cc927d31e4@dietpi.com> <[🔎] 87lfcsrhfy.fsf@disroot.org>

> So you recommend avoiding sid even for specific package minor-version
> upgrades with security fixes?
>
> The Debian wiki says otherwise.  See
> https://wiki.debian.org/DebianTesting#Best_practices_for_Testing_users
>
> I currently follow the Debian wiki advice.  I carefully monitor the list
> of installed packages from unstable, to avoid unintended upgrades.

Hi Jorge,

the way you explain how you use it, especially carefully reviewing theupgrade list, and are okay with the chance to run into bugs with theimplementation, it should be fine, but I would never recommend it to a"regular" user, not knowing the experience level.

Read the notes at the top about which requirements need to be fulfilledbefore a package is merged from "unstable" to "testing":- The package has been in "unstable" at least for 2-10 days (dependingon the urgency of the upload).- The package has been built for all the architectures which the presentversion in testing was built for.- Installing the package into testing will not make the distributionmore uninstallable.

- The package does not introduce new release critical bugs.

The other way round, the above points are not guaranteed for "unstable"and usually critical security fixes are available in testing a couple ofdays later, which should outweigh the possible chance for a majorsecurity issue introduced with a package from unstable due to anon-reviewed/tested implementation change for example.

When using testing only, APT upgrades can be applied without issues(dist/full-upgrade still needs to be reviewed of course due to possiblychanging major versions) and a minimum of test and review is guaranteed,which IMO is worth it to wait for.

But it all depends on the use-case and personal preference, of course.And, if you do report bugs back to the package maintainers, you can helpmaking testing->stable better for other users, so it's actually great ifmore (experienced) users use "unstable", but it's just not what I wouldrecommend to a "regular" user ;).


Kind regards,

Micha

Reply to:

Follow-Ups:
- Re: Current bullseye security and stability
  - From: Jorge P. de Morais Neto <jorge+list@disroot.org>

References:
- Current bullseye security and stability
  - From: "Jorge P. de Morais Neto" <jorge+list@disroot.org>
- Re: Current bullseye security and stability
  - From: ldavila@syt.net
- Re: Current bullseye security and stability
  - From: MichaIng <micha@dietpi.com>
- Re: Current bullseye security and stability
  - From: Jorge P. de Morais Neto <jorge+list@disroot.org>

Prev by Date: Re: Current bullseye security and stability
Next by Date: Re: Current bullseye security and stability
Previous by thread: Re: Current bullseye security and stability
Next by thread: Re: Current bullseye security and stability
Index(es):
- Date
- Thread