Bryan Donlan wrote:
"No" to "...my understanding..." or "No" to "My understanding may very well be amiss..."?On 8/23/05, Kent West <westk@acu.edu> wrote:It's my understanding that because of their high-priority nature, security updates go into Stable even before they sometimes make it into Testing (or perhaps, Unstable?). So a Testing system with the stable security line is more likely to get patched more quickly than waiting for the normal influx of packages into Testing. My understanding may very well be amiss, however.No.
Say that stable has foobar version 1.0.4-1, and testing also still has foobar 1.0.4-1.Say that stable has foobar version 1.0.4-1, and testing has foobar 1.0.5-1. Now there's a security fix. Stable-security gets 1.0.4-1sarge1 or similar, unstable gets 1.0.5-2. However, testing still has 1.0.5-1, which is newer than 1.0.4-1sarge1. It will be at least two days until the unstable fix gets into testing.
Now there's a security fix. Stable-security gets 1.0.4-1sarge1 or similar, unstable gets 1.0.5-0. Testing still has 1.0.4-1, which is older than 1.0.4-1sarge1. It will be at least two days until the unstable fix gets into testing.
In your case, if the 1.0.5-1 version in Testing does not have the security issue (which is doubtful), all is fine for those two days. I'm unclear if you're saying you've got two days of vulnerability, or if you're saying that Testing's newer version than Stable-security's mitigates those two days of vulnerability.
I don't think leaving the Security line at stable hurts anything, and I think it makes sense to leave it there.
-- Kent -- Kent