[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [backports & security]

Felix C. Stegerman wrote:

> Do you know what would be the best way to make sure I don't miss any
> of those updates?  If I backport e.g. mysql from unstable/testing,
> will I be able to rely on security announcements to debian-security,
> or do I need to check for new vulnerabilities upstream?

Just looking up http://www.de.debian.org/security/faq

"Security breakage in the stable distribution warrants a package on security.debian.org. Anything else does not. "

"Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, work is in progress to change this, with the formation of a testing security team which has begun work to offer security support for testing, and to some extent, for unstable."

If security and reliability are important, I'd stick to stable. Period. YMMV.

It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV.

I'm more concerned about security than reliability.  I can handle
occasional downtime if something breaks, but I'd rather avoid my
system being compromised.

I meant to write "reliability AND security".

About 'occsional downtime': If it's a server that is supposed to be online 12 month per year, you should also consider the implications of a downtime while you are on vacation or have other important things to do ;-)


Reply to: