Felix C. Stegerman wrote:
Hi,
I'm about to install sarge on a (production) server of my own, and
would rather like to have the latest versions of:
* mysql (5.0)
* vim (7.0)
* the Linux kernel (2.6.16) [ppc]
Since these are not in sarge, I'm considering using backported
versions from backports.org. I was however unable to find much
information on the effect on security of using backports.org. Since
this server will expose several services to the internet (apache,
subversion, mysql), I want to make sure that it is, and stays, secure.
So these are my questions:
* Are you using unofficial repositories (e.g. backports.org) on
production servers ?
Not any more, but I used to when I needed a more recent samba than that on woody. (Now using sarge). I now use it on my productive laptop for kernel and OO 2.0, but the latter only very seldom.
* Do you (and can I) trust backports.org ?
I'm not from backports.org, but I don't know why you should trust their mysql 5.0 less than what you would backport yourself. In both cases, the chance to miss an important security update etc. is probably higher than on stable, but you already knew that.
If trust is of utmost importance, it is always better to compile yourself; and if anything goes wrong you know whom to blame :=))
(You could achieve even more trust, if you scrutinize the source code line by line before compiling... )
It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV.
Johannes