Re: How to keep debian current??

To: debian-user@lists.debian.org
Cc: Mark Allums <mark@allums.com>
Subject: Re: How to keep debian current??
From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
Date: Wed, 19 May 2010 09:48:58 -0500
Message-id: <[🔎] 201005190949.02875.bss@iguanasuicide.net>
In-reply-to: <[🔎] 20100519014536.GB6644@osamu.debian.net>
References: <[🔎] 1965615763-1273929389-cardhu_decombobulator_blackberry.rim.net-1787116711-@bda030.bisx.prodap.on.blackberry> <[🔎] 4BF2E8B0.6030006@allums.com> <[🔎] 20100519014536.GB6644@osamu.debian.net>

On Tuesday 18 May 2010 20:45:36 Osamu Aoki wrote:
> Hi,
> 
> There are 2 different topics.
> 
>  * Which is better shape "testing" or "unstable" for security issues?
>    (original question)

My gut, based on both the discussions in the thread and sources on the 
debian.org site, tells me that Sid is slightly better, for now.

When the security team has the resources to pay attention to testing (perhaps 
during the freeze?), they are about on par with each other.

Stable+security is, of course, the best but the versions of the software 
available there may not be sufficient for your needs.  Using backports doesn't 
help here -- security updates to backports are done is roughly the same way 
security updates to Sid are.

>  * What dees security team do and ensures?

The security team is responsible for preparing new package versions for stable 
and oldstable, since it is rarely appropriate for security upgrades to be 
delayed until the next point release.  They follow Debian policy on this and 
no not package new upstream versions, but instead cherry-pick and backport the 
patches required to fix the issue.

Some upstream projects make this difficult, and in rare cases those packages 
will be "abandoned" by the security team.  AFAIK, there's no list of these 
packages available, you have to monitor the security-announce mailing list to 
be notified.

In addition, the security team is responsible for preparing the Debian 
Security Advisories (DSAs) that are sent to the security-announce list when a 
security vulnerability is identified and fixed.  Besides providing on-time 
notification of fixes, this also ties the vulnerability to CVE numbers so 
persons or organizations that track issues there can easily determine the 
status of that vulnerability in Debian.

Finally, when the security team has enough manpower, they provide security 
updates to testing, usually by accelerating the migration of a package version 
from Sid.

Any DD can perform a NMU to a package in Sid that has an open security issue.  
Members of the security team sometimes to this for packages in Sid, but it is 
usually left up to the maintainer.
-- 
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Re: How to keep debian current??
  - From: "RyanJB" <ryanjonathanb@gmail.com>
- Re: How to keep debian current??
  - From: Mark Allums <mark@allums.com>
- Re: How to keep debian current??
  - From: Osamu Aoki <osamu@debian.org>

Prev by Date: Re: Gnome not working anymore?
Next by Date: Re: Gnome not working anymore?
Previous by thread: Re: How to keep debian current??
Next by thread: Re: How to keep debian current??
Index(es):
- Date
- Thread