rich wrote:
I'm not sure where you got this idea. Testing does not get security updates like Stable does, but I don't believe I would categorize the running of Testing as "horrendously insecure".First up, I'm running testing on my laptop & want some clarification regarding how secure this is. I know it is not monitored in any way for security problems & as such security problems are not fixed on it - however stable is no good to me since my laptop won't boot any 2.4 kernels, and I like/need to use fairly up-to-date software. What I don't understand is why it is so horrendously insecure to run testing
Assuming the fix makes it into the next version that gets into Testing, that's pretty much correct.- as I understand it when a vulnerability is found, a new version of the program is normally released which fixes the problem. This new version is built by the debian team & put into unstable and then after a bit (do I remember reading somewhere that it used to take 10 days but is now more like 2?) migrates into testing. Surely that means the longest you're likely to be vulnerable is 10 days?
My personal opinion? Skip Testing and go straight to Sid. You have more chance of breakage (although it's been very rare in my experience (about 3 years now)), but said breakage also tends to get fixed within hours instead of 10 days. Same for vulnerabilities. As soon as a vulnerability is found, if the developer/maintainer of that package is on the ball, the fix will be in Sid very quickly, perhaps even before it makes it into Stable. You also get newer toys to play with.I appreciate this is useless for a server, and you've no recourse if you then get hacked as a result of running vulnerable software, but I don't see that it is a matter of being totally vulnerable. Surely it's a matter of being vulerable for a few days longer than if you were running stable - something that I would be willing to live with if it let me run debian on my laptop with up-to-date software.
-- Kent -- Kent West westk@acu.edu