Re: Security and Testing

To: debian-user@lists.debian.org
Subject: Re: Security and Testing
From: Dave Ewart <davee@sungate.co.uk>
Date: Thu, 17 Mar 2005 12:06:59 +0000
Message-id: <[🔎] 20050317120659.GB3518@sungate.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 423945C0.1030502@crazysquirrel.com>
References: <[🔎] 42370748.4070808@ruralescapes.co.uk> <[🔎] 423945C0.1030502@crazysquirrel.com>

On Thursday, 17.03.2005 at 08:54 +0000, Graham Smith wrote:

> > I am sure this question has probably been done to death but I have
> > googled a can't seem to find any up-to-date information.
> > 
> > I am tracking testing and I am wondering how good the security is.
> > As I understand it, security in testing is reliant on contributor
> > security patches filtering down from unstable with the security team
> > providing no input. To speed things up though I believe patches are
> > generally only quarantined for a short period (a couple of days).
> > 
> > Is this correct? If so realistically how bad is the security impact
> > on testing? Is it bad enough that you would have to have a screw
> > loose to run a testing server? The problem I have is that a stable
> > server is horribly out of date and an unstable server seems like a
> > risk (extra maintenance time fixing busted apt-gets for possibly
> > minimal extra security).
> > 
> > Your views would be most appreciated
> 
> Come on, someone must have an opinion on this! I won't hold you to
> what you say :-) I'm just interested to know before I go and make a
> serious security blunder.

This is not intended as flamebait, but perhaps those who are *really*
concerned about up-to-date security don't run 'testing ... ?  That may
explain your lack of response.

I am quite happy exposing a fully-patched (Woody) server to the world,
but would have reservations about doing so with a Sarge server, until
the formal security updates are available.  The risk of running a public
Sarge server can be mitigated by having other layers in your security
model (firewalls etc.) and keeping a close eye on the security
bulletins.

As for stable being 'horribly out of date', in my experience that
doesn't matter for most packages that I've been using.  A combination
of:

1. 'Older' packages being perfectly OK;
2. Using backports.org for some packages;
3. Building my own backports for others

has been all that is required.

Dave.
-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Security and Testing
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>
- Re: Security and Testing
  - From: Graham Smith <graham@crazysquirrel.com>

References:
- Security and Testing
  - From: Graham Smith <graham@ruralescapes.co.uk>
- Re: Security and Testing
  - From: Graham Smith <graham@crazysquirrel.com>

Prev by Date: Re: Replying to "list-only" sorry my mistake
Next by Date: System-wise change of default X session
Previous by thread: Re: Security and Testing
Next by thread: Re: Security and Testing
Index(es):
- Date
- Thread