On Fri, 2003-11-14 at 01:54, Chema wrote: > On Thu, 13 Nov 2003 16:40:08 -0500 > Greg Folkert <greg@gregfolkert.net> wrote: > GF> What do you mean, it has been fixed in the current version of ssh > GF> (3.6.1p2-9) The days they were announced there were fixes > available > GF> (4 hours if I remember properly) (2 version increments in short > GF> order) > So you don't need openssh 3.7.1 to be safe (from this, at least). Correct, the whole idea behind "Stable" or Woody... is the Packaging and versions stay compatible and consistent... therefore "STABLE" few changes as possible, Maintenance Mode (Bug and Security Fixes, NO new features). > Now, I'm new to Debian, I'm "unstabling" my system (so far, not good > ;-), and would like some clarification, so please tell me if true, nil > or void: "Testing" or Sarge as it is called right now, is the Next Version of Stable to be released. Reason it is called testing, is just that people are testing it to make sure it is good enough to become "Frozen" which in and of the word mean, Serious Flaw, Bugs and Fixes are the only changes that can be made... some exceptions if the features are deemed very needed can be made.. but over it is a setting of versions and features into Wet Clay... allowing for changes still but only fixing things version NEW designs or such. "Unstable" or Sid (as it is always called) is not "Unstable as a Linux Distribution" I personally have a Sid machine that has an uptime of 4 months right now... it is uptodate (with a 2.4.20 Kernel) and works flawlessly... I update it every day. The "Unstable" terms the package listing that is available, on any given day there could be hundreds of updates to Sid... take a look at http://incoming.debian.org. Those are the changes submitted in the last few day/(or weeks sometimes). I had a Sid machine I updated yesterday, hadn't touched it for 6+ weeks. 879 packages update, 82 newly installed, 24 removed (due to repackaging) and 4 held. THAT is what "Unstable" is all about. > 1. There are no "formal" security fixes for testing and unstable. Correct. Nothing formal about them... although testing was supposed to have them. It has just not really been needed. If you really are worried about security on Sid or Sarge... you know how and where to get your "fix". > 2. So the usual securing method is to wait for a patched or new > version to get to your apt mirrors. Debian Archive updates are a continuous thing, the Master shoves stuff out to the Push Mirrors(which are [ ht |f ]tp.XX.debian.org) then the leaf mirrors usually check often, then pull the stuff down to themselves. The process of acceptance from incoming on these things is usually very short for Sid. It may take a week or more to get promoted to "Testing"... once again.. if you really are worried, you really shouldn't be running Unstable if you don't know where to get the fixes. > 3. Even if you apt-get testing/unstable fixes from debian.org, fixes > for stable will be well before in security.debian.org. Indeed, Stable *IS* the priority. If it isn't fixed within hours(typically) or even sometime minutes... something is gravely wrong with the security fix and takes a bit more work to get it right. > 4. With how much difference? Hours or days? Typically, for a simple fix... could be as few as the minutes it takes for the maintainer to compiled and upload. On the other hand, if Stable is a long fix... could be that Unstable could be as long. But it might be fixed as soon as Stable due to the backport causing trouble. Typically though, you are usually looking at minutes to a couple of hours. > 5. Where are equivalents of debian-security-announce for > testing/unstable? There really is nothing for Testing or Unstable. Just reference the Debian Advisory. And subscribe to Debian-Devel... Comments from Developers usually are right on the money... and can help out with the wondering. Overall, if security is you number one "paranoid" issue (it is for me) then you either stick with Stable or Discover where it is that you need to get your fixes ASAP. -- greg, greg@gregfolkert.net REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Your beautiful bulgarian bricks stack like the thousand eyes of Estonian potatos, peering amid fuzzy dreams of corrugated cardboard.
Attachment:
signature.asc
Description: This is a digitally signed message part