Re: Sarge security updates

["nate" <debian-user@aphroland.org>]

Jeff Penn said:
> I am using Sarge on a dial-up workstation.  I would appreciate if anyone
> could expand on the statement below copied from the Debian Security FAQ.
>
> For instance, do security patches always get applied to testing?.
> How long do security updates to testing lag behind stable?.


there are really no official security updates for testing or
unstable. there are updates but they are just that, updates, usually
not specifically released for security reasons. This is because testing
is, well a testing distribution and as time goes on the software available
in testing will become quite different from stable, so security updates
for stable may not apply to testing at all, or it may apply but a different
fix is needed because the software may be newer. Or there may be
a security bug in testing which may not relate to stable at all.

Last I remember the time between a package hit unstable and went to
testing was something like 2 weeks. So if a security problem came out
it would take up to 2 weeks(provided there are no big bugs discovered in
the package) for it to get to testing. In one case(SSH) the security
team released an update for testing in addition to stable(potato back
then).

I wouldn't reccomend testing where security is very important, or at least
stick to solid packages and audit the system to minimize risks even if
there is a bug. You can also install packages from unstable or recompile
the ones from unstable for testing(I did this for my testing systems when
the apache bug came out a while back).

nate