Dave Ewart wrote:
On Thursday, 17.03.2005 at 08:54 +0000, Graham Smith wrote:<snip> Your views would be most appreciatedCome on, someone must have an opinion on this! I won't hold you to what you say :-) I'm just interested to know before I go and make a serious security blunder.This is not intended as flamebait, but perhaps those who are *really* concerned about up-to-date security don't run 'testing ... ? That may explain your lack of response.
Ok, thanks for the reply. I hadn't intended it as flamebait. It was an honest request for up to date information.
I am quite happy exposing a fully-patched (Woody) server to the world, but would have reservations about doing so with a Sarge server, untilthe formal security updates are available.
I had heard that they was talk about formal security updates for Sarge (testing) but I assumed as I had heard nothing more the idea had been dropped. I have the security.debian.org testing/update in my source.list and noticed a few things getting pulled from it now and then although AIUI it's not official yet.
The risk of running a public Sarge server can be mitigated by having other layers in your security model (firewalls etc.) and keeping a close eye on the security bulletins.
I have a tough firewall and only (publicly) run Apache and SSH. I keep up to date and run regular rootkit checks. I will subscribe to the DSA list though now.
As for stable being 'horribly out of date', in my experience that doesn't matter for most packages that I've been using. A combination of: 1. 'Older' packages being perfectly OK; 2. Using backports.org for some packages; 3. Building my own backports for others
Perhaps I was a little flippant saying it was horribly out of date. I started off with woody but I use my main server box for more than just Apache and SSH (funds don't allow for two boxes at present) and getting backports of all the other stuff it runs would be a major hassle.
Thanks for the information. Do you have any other good security tips?
has been all that is required. Dave.