[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to keep debian current??


There are 2 different topics.

 * Which is better shape "testing" or "unstable" for security issues?
   (original question)

 * What dees security team do and ensures?

On Tue, May 18, 2010 at 02:21:20PM -0500, Mark Allums wrote:
> On 5/18/2010 10:34 AM, Osamu Aoki wrote:
> > On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote:
> >> Thank you.  This is contrary to what the main Debian site says in
> >> multiple places, but it is plausible.  Good to know.
> > 
> > Could you be more specific where you saw them or where you got this
> > impression?  So we can make corrective action to reduce confusion.
> http://www.debian.org/distrib/packages
>  This area contains the most recent packages in Debian. Once a package
> has met our criterion for stability and quality of packaging, it will be
> included in testing. unstable is also not supported by the security team.

I see: "unstable is also not supported by the security team".  This is
true as official stance of secutrty team.

But I also see quite a bit of NMU by many DD (or by the maintainer) on
unstable package fixing security issues using the latest upsream. 
So it is getting some security fixes (but not by security team.) 

Testing security update requires much more work and security team has
resource issues to be throrough as they want.  Thus coming back to
original question on security support situation:

            testing                        vs. unstable ?  
answer:     practically 0 security support vs. some security support
            ^                                  but not by security team.
            |--- usualy wait for migration of fixed package from unstable
                 (Sometimes, migration takes quite a long time)

The unstable is better shape in general.  But it is not as secure as the
stable system with secutity updates by the security team.
> http://www.debian.org/doc/manuals/securing-debian-howto/ch2.en.html#s2.3
> http://www.debian.org/security/faq#unstable

All these are true statement.

If a package is dead upstream with slow maintainer, such package may
stay in unstable with security issues and RC bugs.


Reply to: