[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to keep debian current??

Hi, Osamu:

On Wednesday 19 May 2010 03:45:36 Osamu Aoki wrote:
> Hi,
> There are 2 different topics.
>  * Which is better shape "testing" or "unstable" for security issues?
>    (original question)

The answer is "it depends".

As already stated, there are no security updates on Sid 'per se', but they 
depend on upstream maintainers provinding a new version that hopefully will 
resolve the problem *and* its ability to go into Sid.

Case A) Big security problem discovered on foo 1.2.3; the upstream maintainer 
produces foo 1.2.4 which resolves the problem and in a few hours (provided 
the Debian maintainer is avaliable) it goes into Sid.  A week later foo 1.2.4 
gets promoted into Testing.  So in this case, Sid is a bit head of Testing.

Case B)  Big security problem discovered on foo 1.2.3; the upstream maintainer 
is more interested on his upcoming great uberversion foo 2, so he doesn't fix 
by means of 1.2.4 but by  accounting for the problem on the foo 2 branch.  
Since foo 2 depends on a lot of a helluva of other packages it takes two 
months for foo 2 to get into Sid.  Meanwhile, the Security team, aware of the 
security problem, produces foo 1.2.3-patch1 backporting the security fix and 
it goes directly into Testing, since Sid it's waiting for the new 2 branch.  
In this case Testing is the one ahead of Sid.

All in all, if you are so concerned about security it's because you value the 
system to be running in a reasonably secure and dependable way.  That means 
you should be concerned not only about security problems but about 
integration problems too (so a package in a broken state for two weeks is a 
bad idea even if it's not because security problems but because "simple" 

In this regard, the overall ballance I think still favours Testing: it usually 
will be a bit bellow Sid regarding security, but it might become ahead on 
really concerning security problems, but definetly it will be *always* ahead 
of Sid regarding general avaliability and dependability (since most bugs and 
blockages will be retained at Sid and packages will only move into Testing 
when most problems are already tamed down).

My simple rule about Debian has always been:
* Stable, if you just want to use Debian.
* Testing, if you want a peek over what Debian will be on next release and 
want to help to hunt down the non-obvious bugs (probably because you depend 
on the quality of Debian Stable and that's what you can do to help going for 
* Sid, if you look for fun and have at least a mild desire to become a day a 
DD.  If you don't want to open and follow a lot of bugs, provide patches from 
time to time and follow the devel lists, you'd probably be better out of the 
loop and stay on Stable or Testing.

Reply to: