[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [backports & security]

Felix C. Stegerman wrote:
> I'm running unstable on my desktop (well, actually a laptop), so I'm
> accustomed to the occasional breakage and could probably live with it.
> I'm just reluctant to use unstable on a production server connected to
> the internet, because I don't want to leave the server (potentially)
> vulnerable.
> If, however, security updates to unstable are reliable enough, I would
> seriously consider using it (and test upgrades on my laptop first).
> Would you say unstable is reliable enough to use on a production
> server that can handle occasional downtime?  Without any unnecessary
> risk of leaving it open to vulnerabilities?

Personally, I stick to stable servers since I don't have time to babysit
them through frequent dist-upgrades.  If you need only a few more recent
packages, then stable+backports is probably your best bet.  If you need
lots of new packages, then unstable might work for you.  However, you
must realize that many (nearly all) Debian developers are volunteers
(i.e., their employers do not pay them to work on Debian full time) and
so packages can fall behind upstream releases because the maintainer
gets busy.

For a good example of this, see http://bugs.debian.org/src:cyrus-sasl2

The cyrus-sasl2 package is arguably a very important package.  However,
it is now something like three or four minor versions behind upstream
and has a ton of bugs.  That is not a good situation and the maintainer
has recently orphaned it.  However, there is enough attention from other
Debian developers that at least security issues are resolved.

I would be careful of using a server running on unstable that uses
packages which have been orphaned, as those are generally the least
likely to receive attention.


Roberto C. Sanchez

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: