Re: backports security
Hi!
Thanks to Sven for bringing the thread to my attention.
* Sven Hoexter <sven@timegate.de> [2009-11-19 08:42:49 CET]:
> On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote:
> > I have searched backport, wiki web sites and still can not
> > understand: does debian security team works with its packages or
> > not? In other words, using stable only and desiring the same
> > security quality, I would not use the backports repo? Am i correct?
>
> backports.org is not under the hands of the Debian security team.
Likewise with unstable and testing these days unfortunately. Too little
people able to put their efforts into it, overworked and stuff.
> Usually backports are based on packages from testing, in case of
> security issue uploads based on packages from unstable are allowed
> aswell. It's usually the uploader of the backport who is responsible
> to care for uploads in case of security issue. So it doesn't hurt if
> you keep an eye on the backports aswell that you install. Since you
> should install only selected backports where needed you've to monitor
> just those very few selected packages.
I tried to track it myself and pester people to update their packages,
though currently I'm in a bit of time constrain trouble myself and have
to priorize other things, it's not like if I wouldn't like to continue
on that front. :/
> Additionaly there is a backports-security-announce list where
> backporters announce security relevant uploads.
And there is support in the security-tracker to look up open issues and
pester people that don't update their packages on backports when the fix
did finally hit unstable. Fell free to follow the links from
<http://security-tracker.debian.org/tracker/> about "Vulnerable packages
in backports".
> Gerfried: Maybe that's something that should be noted in the FAQ
> aswell?
Is now, was overdue, and thanks for the prod. :)
Rhonda
Reply to: