[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [backports & security]



* Johannes Wiedersich [2006-06-01 12:39]:
> > I'm about to install sarge on a (production) server of my own, and
> > would rather like to have the latest versions of:
> >   * mysql (5.0)
> >   * vim (7.0)
> >   * the Linux kernel (2.6.16) [ppc]
> > Since these are not in sarge, I'm considering using backported
> > versions from backports.org.  I was however unable to find much
> > information on the effect on security of using backports.org.  Since
> > this server will expose several services to the internet (apache,
> > subversion, mysql), I want to make sure that it is, and stays, secure.
> > So these are my questions:
> >   * Are you using unofficial repositories (e.g. backports.org) on
> >     production servers ?
> 
> Not any more, but I used to when I needed a more recent samba than that 
> on woody. (Now using sarge). I now use it on my productive laptop for 
> kernel and OO 2.0, but the latter only very seldom.
> 
> >  * Do you (and can I) trust backports.org ?
> 
> I'm not from backports.org, but I don't know why you should trust their 
> mysql 5.0 less than what you would backport yourself. In both cases, 
> the chance to miss an important security update etc. is probably higher 
> than on stable, but you already knew that.

Do you know what would be the best way to make sure I don't miss any
of those updates?  If I backport e.g. mysql from unstable/testing,
will I be able to rely on security announcements to debian-security,
or do I need to check for new vulnerabilities upstream?

> If trust is of utmost importance, it is always better to compile 
> yourself; and if anything goes wrong you know whom to blame :=))
> 
> (You could achieve even more trust, if you scrutinize the source code 
> line by line before compiling... )
> 
> It's always a difficult decision between 'I'd rather have xxx' and 
> security. If reliability is important, I would rather stick to stable, 
> but YMMV.

I'm more concerned about security than reliability.  I can handle
occasional downtime if something breaks, but I'd rather avoid my
system being compromised.


- Felix

-- 
Felix C. Stegerman <flx@obfusk.net>                  http://obfusk.net
~ "Any sufficiently advanced bug is indistinguishable from a feature."
~   -- R. Kulawiec
~ vim: set ft=mail tw=70 sw=2 sts=2 et:

Attachment: pgpAku5mlbLJz.pgp
Description: PGP signature


Reply to: