How to keep debian current??

Prev: Updraiding or reinstalling?
Next: More important question... (was Re: How to keep debian current??)

From: Osamu Aoki on 18 May 2010 13:20

---

Hi,

On Tue, May 18, 2010 at 12:11:20PM -0400, John A. Sullivan III wrote:
> On Wed, 2010-05-19 at 00:34 +0900, Osamu Aoki wrote:
> > On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote:
> > > On 5/17/2010 10:43 AM, Andrei Popescu wrote:
> > > >On Mon,17.May.10, 10:29:57, Mark Allums wrote:
> > > >
> > > >>Backwards. Sid gets no security, AT ALL. Testing get some.
> > > >
> > > >If some issue is fixed for stable the fix is also applied for unstable,
> > > >unless the maintainer is unresponsive or so. In practice this means that
> > > >unstable can be in better shape then testing at times.
> > > >
> > > >Regards,
> > > >Andrei
> > >
> > > Thank you. This is contrary to what the main Debian site says in
> > > multiple places, but it is plausible. Good to know.
> >
> > Could you be more specific where you saw them or where you got this
> > impression? So we can make corrective action to reduce confusion.
> >
> > (Sid gets no corresponding "security" repository like
> > stable/updates nor testing/updates because we can upload directly to it
> > any time.)
> >
> > I am thinking to add text to Debian reference to reduce such confusion.
> >
> > Now:
> > If "sid" is used in the above example instead of "lenny", the "deb:
> > http://security.debian.org/ $B!D(B" line for security updates in the
> > "/etc/apt/sources.list" is not required. Security updates are only
> > available for stable and testing (i.e., lenny and squeeze).
> >
> > (I should have explained better.)
> >
> > New:
> > If "sid" is used in the above example instead of "lenny", the "deb:
> > http://security.debian.org/ $B!D(B" line for security updates in the
> > "/etc/apt/sources.list" is not required. This is because "sid"
> > (unstable) is always updated whenever security issues are fixed. There
> > is no need to have a separate security update archive for "sid".
> <snip>
> Hmm . . . to someone not more familiar with Debian practices, the new
> version seems more confusing.

????

> I would read that and think that Sid is
> very secure because it always has the latest security fixes.

Yes, that what I mean. This is true.

> If that's
> not what we mean, then perhaps the current version needs only slight
> revision for clarity, e.g.,

English improvement welcome along the reality.

Sid is secure since security team usually upload fixed packages to both
stable/updates and unstable. (Or simply uploading updated upstream fixes
unstable whilr stable needs DD to fix by a special patch.)

They tries or trying to do the same for testing but resource limitation
is holding them back.



--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/20100518165912.GA5576(a)osamu.debian.net

From: John A. Sullivan III on 18 May 2010 13:20

---

On Wed, 2010-05-19 at 01:59 +0900, Osamu Aoki wrote:
> Hi,
>
> On Tue, May 18, 2010 at 12:11:20PM -0400, John A. Sullivan III wrote:
> > On Wed, 2010-05-19 at 00:34 +0900, Osamu Aoki wrote:
> > > On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote:
> > > > On 5/17/2010 10:43 AM, Andrei Popescu wrote:
> > > > >On Mon,17.May.10, 10:29:57, Mark Allums wrote:
> > > > >
> > > > >>Backwards. Sid gets no security, AT ALL. Testing get some.
> > > > >
> > > > >If some issue is fixed for stable the fix is also applied for unstable,
> > > > >unless the maintainer is unresponsive or so. In practice this means that
> > > > >unstable can be in better shape then testing at times.
> > > > >
> > > > >Regards,
> > > > >Andrei
> > > >
> > > > Thank you. This is contrary to what the main Debian site says in
> > > > multiple places, but it is plausible. Good to know.
> > >
> > > Could you be more specific where you saw them or where you got this
> > > impression? So we can make corrective action to reduce confusion.
> > >
> > > (Sid gets no corresponding "security" repository like
> > > stable/updates nor testing/updates because we can upload directly to it
> > > any time.)
> > >
> > > I am thinking to add text to Debian reference to reduce such confusion.
> > >
> > > Now:
> > > If "sid" is used in the above example instead of "lenny", the "deb:
> > > http://security.debian.org/ …" line for security updates in the
> > > "/etc/apt/sources.list" is not required. Security updates are only
> > > available for stable and testing (i.e., lenny and squeeze).
> > >
> > > (I should have explained better.)
> > >
> > > New:
> > > If "sid" is used in the above example instead of "lenny", the "deb:
> > > http://security.debian.org/ …" line for security updates in the
> > > "/etc/apt/sources.list" is not required. This is because "sid"
> > > (unstable) is always updated whenever security issues are fixed. There
> > > is no need to have a separate security update archive for "sid".
> > <snip>
> > Hmm . . . to someone not more familiar with Debian practices, the new
> > version seems more confusing.
>
> ????
>
> > I would read that and think that Sid is
> > very secure because it always has the latest security fixes.
>
> Yes, that what I mean. This is true.
>
> > If that's
> > not what we mean, then perhaps the current version needs only slight
> > revision for clarity, e.g.,
>
> English improvement welcome along the reality.
>
> Sid is secure since security team usually upload fixed packages to both
> stable/updates and unstable. (Or simply uploading updated upstream fixes
> unstable whilr stable needs DD to fix by a special patch.)
>
> They tries or trying to do the same for testing but resource limitation
> is holding them back.
>
>
Ah, then I misunderstood your previous message to mean Sid did not have
the latest and greatest security. Please disregard my babble then :(
Thanks - John


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/1274202600.20211.15.camel(a)Family.pacifera.com

From: Andrei Popescu on 18 May 2010 13:40

---

On Wed,19.May.10, 00:34:02, Osamu Aoki wrote:
>
> New:
> If "sid" is used in the above example instead of "lenny", the "deb:
> http://security.debian.org/ …" line for security updates in the
> "/etc/apt/sources.list" is not required. This is because "sid"
> (unstable) is always updated whenever security issues are fixed. There
> is no need to have a separate security update archive for "sid".

May I suggest:
---
If "sid" is used in the above example instead of "lenny", the "deb:
http://security.debian.org/ …" line for security updates in the
"/etc/apt/sources.list" is not required as there is no need to have a
separate security update archive for "sid". This is because "sid"
(unstable) is *usually* updated whenever security issues are fixed for
stable.

However, it can happen that the fixes are not applied immediately (e.g.
the maintainer is waiting for a new version from upstream which fixes
the issue) or issues exist which do not affect the version in stable or
testing, in which case Debian will not even issue a DSA.
---
(DSA might need expanding/explaining if not already done in some other
paragraph)

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

From: John A. Sullivan III on 18 May 2010 13:50

---

On Tue, 2010-05-18 at 20:30 +0300, Andrei Popescu wrote:
> On Wed,19.May.10, 00:34:02, Osamu Aoki wrote:
> >
> > New:
> > If "sid" is used in the above example instead of "lenny", the "deb:
> > http://security.debian.org/ …" line for security updates in the
> > "/etc/apt/sources.list" is not required. This is because "sid"
> > (unstable) is always updated whenever security issues are fixed. There
> > is no need to have a separate security update archive for "sid".
>
> May I suggest:
> ---
> If "sid" is used in the above example instead of "lenny", the "deb:
> http://security.debian.org/ …" line for security updates in the
> "/etc/apt/sources.list" is not required as there is no need to have a
> separate security update archive for "sid". This is because "sid"
> (unstable) is *usually* updated whenever security issues are fixed for
> stable.
>
> However, it can happen that the fixes are not applied immediately (e.g.
> the maintainer is waiting for a new version from upstream which fixes
> the issue) or issues exist which do not affect the version in stable or
> testing, in which case Debian will not even issue a DSA.
> ---
> (DSA might need expanding/explaining if not already done in some other
> paragraph)
I thought John Hasler's response was very good. It explained why I was
confused - there are security updates but they are not the same type of
updates as testing and stable receive. Perhaps John's wording should be
included; it clarified a very murky issue for me - John


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/1274204951.20211.18.camel(a)Family.pacifera.com

From: John Hasler on 18 May 2010 14:20

---

Osamu Aoki writes:
> Sid is secure since security team usually upload fixed packages to
> both stable/updates and unstable.

The security team does not support Sid. That's up to the individual
package maintainers.

> Or simply uploading updated upstream fixes unstable...

That's what the package maintainer usually does.
--
John Hasler


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/878w7h6qin.fsf(a)thumper.dhh.gt.org

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5 6 7 8 9 10 11
Prev: Updraiding or reinstalling?
Next: More important question... (was Re: How to keep debian current??)