Re: Security concerns on stable/unstable
On Sat, Jan 11, 2003 at 07:37:55PM -0500, Bruno Diniz de Paula wrote:
> On Sat, 2003-01-11 at 15:20, nate wrote:
> > official security updates are ONLY available for stable and potato(at the
> > moment). unstable gets updates like normal, they include security updates
> > but are not specifically advertised as so. It's up to the user to manage the
> > security.
>
> So what you mean is that if someone finds a security flaw on any
> package, the security team of Debian is informed and consequently the
> maintainer of that package is informed. Then the maintainer updates the
> package at woody/potato, advertises that and, at the same time, updates
> the unstable version. This would mean that, in terms of solved bugs in
> the *sofware* that could cause a security flaw, both woody and sid are
> exactly equal. Is it that?
Not really, no.
The Debian security team manages stable directly. That is, uploads to
stable are generally made by the security team themselves (although
sometimes the package maintainer will do it and have the build approved
by the security team; depends on how responsive the maintainer is, how
busy the security team are, how complex the package is, the phase of the
moon, etc.).
The security team do not touch unstable at all, although they will let
the maintainer know of the problem, usually by filing a bug. The package
maintainer will then update the package in unstable in his/her own time.
All this means that it may take a little longer for a package to be
fixed in unstable than stable, depending on the responsiveness of the
maintainer. Bug reports filed about security issues will have a high
severity, of course, and such bugs get noticed, so even if the
maintainer is completely missing somebody will eventually handle it.
Empirically, unstable is generally pretty good about this kind of thing.
However, there are no guarantees.
http://www.debian.org/security/faq#testing
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: