Re: Debian sarge and production servers is it ready on 12/26/2004?

To: debian-user@lists.debian.org
Subject: Re: Debian sarge and production servers is it ready on 12/26/2004?
From: Roberto Sanchez <roberto@familiasanchez.net>
Date: Mon, 27 Dec 2004 00:32:58 -0500
Message-id: <[🔎] 41CF9E8A.5030406@familiasanchez.net>
In-reply-to: <[🔎] 200412270019.19165.mlaks@verizon.net>
References: <[🔎] 41CD8BB9.8000800@ngi.it> <[🔎] 1103990712.4703.7.camel@Thief> <[🔎] 200412262239.47676.tim@it.kpt.cc> <[🔎] 200412270019.19165.mlaks@verizon.net>

Mitchell Laks wrote:

Tim said:

If you think testing or unstable is suitable for production systems you are
one of

1. an idiot
2. have very limited needs/no experience
3. talking out of your ass
4. have no concept of what it means to be responsible for others' work


Even Sarge? I need something more up to date then woody, for my postgresql and
need the integration that sarge provides, vs backports + woody. Is Sarge that
dangerous on 12/26/2004? I want others opinions. I have 2 servers running
sarge 24/7 right now (for last 3 weeks.... just installed).
Mitchell


I think the issue is that packages are not directly uploaded to testing.
So it is possible to have version X of package A installed in testing.
Tomorrow a security vulnerability in version X is announced.  The day
after, the package maintainer has uploaded an updated version to
unstable.

Now the waiting begins.  Packages must be in unstable for 10 days with
no critical or grave bugs (IIRC) before they transition to testing.
That means that for a minimum of 10 days, you are running vulnerable
software (thinkk phpBB).  If within that 10 day window a newer version
is uploaded to unstable, the clock restarts on the new version.  If
a serious or grave bug is filed, the package simply will not make it
into testing.  Likewise, if the package fails to build for *any* of
the supported Debian architectures, it will not go into testing (unless
it as architecture specific package, like a kernel).  You could
potentially be running insecure software for an indefinite period of
time.

This assumes that the maintainer actually keeps up with upstream
development.  Many actually do this, but there are maintainers that
let their packages rot.  For a stable release the maintainers are
involved, but the ultimate responsibility rests with the Debian security
team.  Thus, updates will be made as quickly as feasible.  You simply do
not have this guarantee with unstable or testing (except when testing
gets security team support in preparation for release).

HTH,

-Roberto

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Debian sarge and production servers is it ready on 12/26/2004?
  - From: Mitchell Laks <mlaks@verizon.net>

References:
- Debian sid and "risk management"
  - From: Bob Alexander <bob@ngi.it>
- Re: Debian sid and "risk management"
  - From: Alex Malinovich <demonbane@the-love-shack.net>
- Re: Debian sid and "risk management"
  - From: Tim Kelley <tim@it.kpt.cc>
- Debian sarge and production servers is it ready on 12/26/2004?
  - From: Mitchell Laks <mlaks@verizon.net>

Prev by Date: Re: Debian sarge and production servers is it ready on 12/26/2004?
Next by Date: Re: Debian sarge and production servers is it ready on 12/26/2004?
Previous by thread: Re: Debian sarge and production servers is it ready on 12/26/2004?
Next by thread: Re: Debian sarge and production servers is it ready on 12/26/2004?
Index(es):
- Date
- Thread