[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages temporarily disappearing from Testing/Lenny

On 2008-04-15 01:47 +0200, Douglas A. Tutty wrote:

> On Mon, Apr 14, 2008 at 08:20:00PM +0200, David wrote:
>  
>> comix - The version in Testing had security problems, so it was
>> removed automatically (however, the insecure version stayed in
>> Unstable). Almost a month later a fixed version was uploaded to stable
>> and 10 days later it moved to Testing.
>
> Everyone who thinks of using Sid needs to read and understand this
> paragraph.  "However, the insecure version stayed in Unstable".  Just
> because Sid includes the latest doesn't mean its the greatest.  I don't
> think that, e.g. aptitude pops up a warning "WARNING: you are trying to
> install an insecure version of comix".  

It is true that sid users should generally check out for grave bugs and
security issues of packages they want to install, but the same holds for
testing.  After all, buggy packages will not be removed quickly and an
update will first be available in unstable before it migrates to testing.

> At least if you run testing, if something proves insecure it will 
> be either fixed in unstable and migrate after 10 days, or (I think)
> will be removed from testing.

If the maintainer acts correctly and uploads the package with
urgency=high, it can migrate after only two days.  However, that's often
not possible, because the package must also have been built on all 11
release architectures and its dependencies have to be fulfilled in
testing.  For packages with many dependencies this does not seldom take
months.  The testing-security support we now enjoy has mitigated the
situation somewhat, but testing is still the worst Debian branch
security-wise.

As for the removals: packages with many reverse dependencies or packages
that are very popular among users never get removed from testing, as far
as I can see.  Otherwise the Mozilla packages would be out of testing
most of the time. :-/

>  It is often said that our testing branch
> is like other distro's stable or release branch.  This may be true, but
> Unstable (Sid) is unstable and at any given time may have serious
> security issues.  Beware.

Security is really the least thing you have to worry about if you use
sid.  The problems are elsewhere: packages may not be installable due to
missing dependencies (never happens in stable or testing), installation
fails (most common reason is that the package contains files that are
also in another package - never happens in stable and very rarely in
testing) or a package may not work at all for one or the other reason.
These are the real problems when you use sid, not security.

Sven
Reply to: