On Sat,22.May.10, 03:03:42, Jesús M. Navarro wrote: > The answer is "it depends". > > As already stated, there are no security updates on Sid 'per se', but they > depend on upstream maintainers provinding a new version that hopefully will > resolve the problem *and* its ability to go into Sid. > > I.e.: > Case A) Big security problem discovered on foo 1.2.3; the upstream maintainer > produces foo 1.2.4 which resolves the problem and in a few hours (provided > the Debian maintainer is avaliable) it goes into Sid. A week later foo 1.2.4 > gets promoted into Testing. So in this case, Sid is a bit head of Testing. Usually security fixes are uploaded "priority=high", which means faster migration (3 days?). Sid is still ahead, but not by 10 days. > Case B) Big security problem discovered on foo 1.2.3; the upstream maintainer > is more interested on his upcoming great uberversion foo 2, so he doesn't fix > by means of 1.2.4 but by accounting for the problem on the foo 2 branch. > Since foo 2 depends on a lot of a helluva of other packages it takes two > months for foo 2 to get into Sid. Meanwhile, the Security team, aware of the > security problem, produces foo 1.2.3-patch1 backporting the security fix and > it goes directly into Testing, since Sid it's waiting for the new 2 branch. > In this case Testing is the one ahead of Sid. During this cycle the security support is not there (yet). Might happen during the freeze. But also the maintainer might take the *stable* patch and adapt it for the package in sid ;) > In this regard, the overall ballance I think still favours Testing: it usually > will be a bit bellow Sid regarding security, but it might become ahead on > really concerning security problems, but definetly it will be *always* ahead > of Sid regarding general avaliability and dependability (since most bugs and > blockages will be retained at Sid and packages will only move into Testing > when most problems are already tamed down). Makes sense. And if you care about security do subscribe to debian-security-announce and debian-testing-security-announce. You don't need the later if you run pure stable, but makes sense in any other mix (including backports). The traffic of both lists combined is about one message per day. > My simple rule about Debian has always been: > * Stable, if you just want to use Debian. I install stable as much as I can due to: - security support - low maintenance overhead Once installed just watch debian-security-announce (and debian-announce for point releases if you don't use proposed-updates) and update/safe-upgrade as needed. > * Testing, if you want a peek over what Debian will be on next release and > want to help to hunt down the non-obvious bugs (probably because you depend > on the quality of Debian Stable and that's what you can do to help going for > it). I installed testing for people who thought Debian is just too old (usually with KDE 4, which makes a good impression to Windows users). Unless the user already has some Debian experience it's a must have that I can somehow regularly access the system (usually ssh). > * Sid, if you look for fun and have at least a mild desire to become a day a > DD. If you don't want to open and follow a lot of bugs, provide patches from > time to time and follow the devel lists, you'd probably be better out of the > loop and stay on Stable or Testing. I would get terribly bored if I was to run anything else but sid on my own laptop. The only other machine at home is now pure stable, but mpd won't play my favorite stream (aac unfortunately). Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature