Re: [backports & security]
Felix C. Stegerman wrote:
I'm about to install sarge on a (production) server of my own, and
would rather like to have the latest versions of:
* mysql (5.0)
* vim (7.0)
* the Linux kernel (2.6.16) [ppc]
Since these are not in sarge, I'm considering using backported
versions from backports.org. I was however unable to find much
information on the effect on security of using backports.org. Since
this server will expose several services to the internet (apache,
subversion, mysql), I want to make sure that it is, and stays, secure.
So these are my questions:
* Are you using unofficial repositories (e.g. backports.org) on
production servers ?
Not any more, but I used to when I needed a more recent samba than that
on woody. (Now using sarge). I now use it on my productive laptop for
kernel and OO 2.0, but the latter only very seldom.
* Do you (and can I) trust backports.org ?
I'm not from backports.org, but I don't know why you should trust their
mysql 5.0 less than what you would backport yourself. In both cases, the
chance to miss an important security update etc. is probably higher than
on stable, but you already knew that.
If trust is of utmost importance, it is always better to compile
yourself; and if anything goes wrong you know whom to blame :=))
(You could achieve even more trust, if you scrutinize the source code
line by line before compiling... )
It's always a difficult decision between 'I'd rather have xxx' and
security. If reliability is important, I would rather stick to stable,