Re: How to keep debian current??
On Wednesday 19 May 2010 03:45:36 Osamu Aoki wrote:
> There are 2 different topics.
> * Which is better shape "testing" or "unstable" for security issues?
> (original question)
The answer is "it depends".
As already stated, there are no security updates on Sid 'per se', but they
depend on upstream maintainers provinding a new version that hopefully will
resolve the problem *and* its ability to go into Sid.
Case A) Big security problem discovered on foo 1.2.3; the upstream maintainer
produces foo 1.2.4 which resolves the problem and in a few hours (provided
the Debian maintainer is avaliable) it goes into Sid. A week later foo 1.2.4
gets promoted into Testing. So in this case, Sid is a bit head of Testing.
Case B) Big security problem discovered on foo 1.2.3; the upstream maintainer
is more interested on his upcoming great uberversion foo 2, so he doesn't fix
by means of 1.2.4 but by accounting for the problem on the foo 2 branch.
Since foo 2 depends on a lot of a helluva of other packages it takes two
months for foo 2 to get into Sid. Meanwhile, the Security team, aware of the
security problem, produces foo 1.2.3-patch1 backporting the security fix and
it goes directly into Testing, since Sid it's waiting for the new 2 branch.
In this case Testing is the one ahead of Sid.
All in all, if you are so concerned about security it's because you value the
system to be running in a reasonably secure and dependable way. That means
you should be concerned not only about security problems but about
integration problems too (so a package in a broken state for two weeks is a
bad idea even if it's not because security problems but because "simple"
In this regard, the overall ballance I think still favours Testing: it usually
will be a bit bellow Sid regarding security, but it might become ahead on
really concerning security problems, but definetly it will be *always* ahead
of Sid regarding general avaliability and dependability (since most bugs and
blockages will be retained at Sid and packages will only move into Testing
when most problems are already tamed down).
My simple rule about Debian has always been:
* Stable, if you just want to use Debian.
* Testing, if you want a peek over what Debian will be on next release and
want to help to hunt down the non-obvious bugs (probably because you depend
on the quality of Debian Stable and that's what you can do to help going for
* Sid, if you look for fun and have at least a mild desire to become a day a
DD. If you don't want to open and follow a lot of bugs, provide patches from
time to time and follow the devel lists, you'd probably be better out of the
loop and stay on Stable or Testing.