[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian sarge and production servers is it ready on 12/26/2004?

Mitchell Laks wrote:
Tim said:

If you think testing or unstable is suitable for production systems you are
one of

1. an idiot
2. have very limited needs/no experience
3. talking out of your ass
4. have no concept of what it means to be responsible for others' work

Even Sarge? I need something more up to date then woody, for my postgresql and
need the integration that sarge provides, vs backports + woody. Is Sarge that
dangerous on 12/26/2004? I want others opinions. I have 2 servers running
sarge 24/7 right now (for last 3 weeks.... just installed).

I think the issue is that packages are not directly uploaded to testing.
So it is possible to have version X of package A installed in testing.
Tomorrow a security vulnerability in version X is announced.  The day
after, the package maintainer has uploaded an updated version to

Now the waiting begins.  Packages must be in unstable for 10 days with
no critical or grave bugs (IIRC) before they transition to testing.
That means that for a minimum of 10 days, you are running vulnerable
software (thinkk phpBB).  If within that 10 day window a newer version
is uploaded to unstable, the clock restarts on the new version.  If
a serious or grave bug is filed, the package simply will not make it
into testing.  Likewise, if the package fails to build for *any* of
the supported Debian architectures, it will not go into testing (unless
it as architecture specific package, like a kernel).  You could
potentially be running insecure software for an indefinite period of

This assumes that the maintainer actually keeps up with upstream
development.  Many actually do this, but there are maintainers that
let their packages rot.  For a stable release the maintainers are
involved, but the ultimate responsibility rests with the Debian security
team.  Thus, updates will be made as quickly as feasible.  You simply do
not have this guarantee with unstable or testing (except when testing
gets security team support in preparation for release).



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: