[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [backports & security]



* Johannes Wiedersich [2006-06-01 17:53]:
> Felix C. Stegerman wrote:
> 
> > Do you know what would be the best way to make sure I don't miss any
> > of those updates?  If I backport e.g. mysql from unstable/testing,
> > will I be able to rely on security announcements to debian-security,
> > or do I need to check for new vulnerabilities upstream?
> 
> Just looking up http://www.de.debian.org/security/faq
> 
> "Security breakage in the stable distribution warrants a package on 
> security.debian.org. Anything else does not. "
> 
> "Q: How is security handled for testing and unstable?
> 
> A: The short answer is: it's not. Testing and unstable are rapidly 
> moving targets and the security team does not have the resources needed 
> to properly support those. If you want to have a secure (and stable) 
> server you are strongly encouraged to stay with stable. However, work 
> is in progress to change this, with the formation of a testing security 
> team which has begun work to offer security support for testing, and to 
> some extent, for unstable."
> 
> If security and reliability are important, I'd stick to stable. Period. 
> YMMV.

I'll stick with stable and backport mysql, vim and the kernel myself.
I've been meaning to read the "Debian New Maintainers' Guide" anyway
;-)

I guess I'll just have to monitor upstream security announcements and
hope that I won't have to bring the service/server down (long) in case
any serious vulnerabilities are discovered.

Fortunately, the only users that will (should) be able to log in to my
server will be some friends and colleagues, so I should only have to
worry about keeping apache2 (which is in sarge) and my own backport of
mysql secure.  I might even restrict access to Public Key SSH only
(users can always forward port 80 to their local machines to access
the wiki)

> >>It's always a difficult decision between 'I'd rather have xxx' and 
> >>security. If reliability is important, I would rather stick to 
> >>stable, but YMMV.
> >I'm more concerned about security than reliability.  I can handle
> >occasional downtime if something breaks, but I'd rather avoid my
> >system being compromised.
> 
> I meant to write "reliability AND security".
> 
> About 'occsional downtime': If it's a server that is supposed to be 
> online 12 month per year, you should also consider the implications of 
> a downtime while you are on vacation or have other important things to 
> do ;-)

Many thanks for your insights ;-)


- Felix

-- 
Felix C. Stegerman <flx@obfusk.net>                  http://obfusk.net
~ "Any sufficiently advanced bug is indistinguishable from a feature."
~   -- R. Kulawiec
~ vim: set ft=mail tw=70 sw=2 sts=2 et:

Attachment: pgpzaPblnw_2x.pgp
Description: PGP signature


Reply to: