Bug#321896: Incorrect security info on AMD64 page
Package: www.debian.org
Version: n/a
The security support for the AMD64 port is still (apparently) not
in place. However the only information on www.debian.org says that
it is. Following the instructions provided on the site is dangerous
because no security updates will be applied.
Specifically, this page:
http://www.debian.org/ports/amd64/
says:
"The stable release of the unofficial port is based on unpatched Sarge
sources and has full security support by the Debian Security Team. The
Debian-Backports and -Volatile services are fully supported, too.
...
The Debian Security Team supports updates to the unofficial Sarge
release, which are made available on security.debian.org."
Suggested correction is to put all of the "official" wording in future
tense ("will support updates ..."), and the add the correct location to
give apt to obtain the fixes now.
Additionally, the correct location can not be found by searching
debian.org for announcements. The last announcement on the subject
(from _May_ of 2005) says the same as the AMD64 port page: go to
security.debian.org. I had to ask on LWN to get the real answer.
Another reader responded:
http://lwn.net/Articles/144530/
"Goswin von Brederlow answered this question in
http://lists.debian.org/debian-amd64/2005/07/msg00347.html.
'We are waiting on James Troup to activate amd64 on the security
servers. The buildd is otherwise setup and running.
For the time being all security builds are uploaded to
sarge-proposed-updates on amd64.debian.net and people should add
that to the sources.list for now and just till sec.d.o gets
reconfigured for us.'
"
That mailing list post was a month ago. It doesn't appear the
security servers will activate amd64 any time soon so it would be
better to update the documentation to not point to them for AMD64.
Thanks,
-Ross
Reply to: