How to keep debian current??
in [Debian]
|
Prev: Updraiding or reinstalling?
Next: More important question... (was Re: How to keep debian current??)
From: Mark Allums on 18 May 2010 15:30 On 5/18/2010 10:34 AM, Osamu Aoki wrote: > On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote: >> Thank you. This is contrary to what the main Debian site says in >> multiple places, but it is plausible. Good to know. > > Could you be more specific where you saw them or where you got this > impression? So we can make corrective action to reduce confusion. http://www.debian.org/distrib/packages This area contains the most recent packages in Debian. Once a package has met our criterion for stability and quality of packaging, it will be included in testing. unstable is also not supported by the security team. http://www.debian.org/doc/manuals/securing-debian-howto/ch2.en.html#s2.3 2.3 How does Debian handle security? .. .. .. Information regarding security is centralized in a single point, http://security.debian.org/. http://www.debian.org/security/faq#unstable Q: How is security handled for unstable? A: The short answer is: it's not. Unstable is a rapidly moving target and the security team does not have the resources needed to properly support it. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4BF2E8B0.6030006(a)allums.com
From: Andrei Popescu on 18 May 2010 16:10 On Tue,18.May.10, 13:49:11, John A. Sullivan III wrote: > > > > May I suggest: > > --- > > If "sid" is used in the above example instead of "lenny", the "deb: > > http://security.debian.org/ â¦" line for security updates in the > > "/etc/apt/sources.list" is not required as there is no need to have a > > separate security update archive for "sid". This is because "sid" > > (unstable) is *usually* updated whenever security issues are fixed for > > stable. > > > > However, it can happen that the fixes are not applied immediately (e.g. > > the maintainer is waiting for a new version from upstream which fixes > > the issue) or issues exist which do not affect the version in stable or > > testing, in which case Debian will not even issue a DSA. > > --- > > (DSA might need expanding/explaining if not already done in some other > > paragraph) > I thought John Hasler's response was very good. It explained why I was > confused - there are security updates but they are not the same type of > updates as testing and stable receive. Perhaps John's wording should be > included; it clarified a very murky issue for me - John How about this instead of the last paragraph: --- Please note that the Security Team does not monitor unstable. It is up to the individual maintainer to fix the issue. This may under circumstances take longer, e.g. if the maintainer is waiting for a new version from upstream. There are also no Debian Security Advisories (DSA) for issues that are present in the unstable version of a software, but not the versions in stable and/or testing. --- Aoki-san, what do you think, is this getting too long? I also thought about mentioning alternate sources to get security informations (CVEs and such). Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
From: Mark Allums on 18 May 2010 16:20 On 5/18/2010 2:21 PM, Mark Allums wrote: > On 5/18/2010 10:34 AM, Osamu Aoki wrote: >> On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote: > >>> Thank you. This is contrary to what the main Debian site says in >>> multiple places, but it is plausible. Good to know. >> >> Could you be more specific where you saw them or where you got this >> impression? So we can make corrective action to reduce confusion. > > > http://www.debian.org/distrib/packages > http://www.debian.org/doc/manuals/securing-debian-howto/ch2.en.html#s2.3 > http://www.debian.org/security/faq#unstable I would like to reiterate that there are lots of places where either it is implied that the security team handles all, or that unstable never gets fixes, not just those three I quoted (above) in a previous post. And that also does not include the various wikis, and odd corners that are Debian-affiliated, but not part of the official site. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4BF2F541.1000304(a)allums.com
From: Sjoerd Hardeman on 18 May 2010 17:10 Op 18-05-10 21:21, Mark Allums schreef: > On 5/18/2010 10:34 AM, Osamu Aoki wrote: >> On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote: > >>> Thank you. This is contrary to what the main Debian site says in >>> multiple places, but it is plausible. Good to know. >> >> Could you be more specific where you saw them or where you got this >> impression? So we can make corrective action to reduce confusion. > > ... > > Information regarding security is centralized in a single point, > http://security.debian.org/. > Anyway, to also clearly answer the question about testing security support, same manual #8: Q: How is security handled for testing? A: If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, there is security support for testing: The Debian testing security team handles issues for testing. They will make sure that the fixed packages enter testing in the usual way by migration from unstable (with reduced quarantine time), or, if that still takes too long, make them available via the the normal http://security.debian.org infrastructure. To use it, make sure the following line is in /etc/apt/sources.list: So yes, testing *does* receive security support Sjoerd
From: Andrei Popescu on 18 May 2010 17:20
On Tue,18.May.10, 22:59:46, Sjoerd Hardeman wrote: > > So yes, testing *does* receive security support http://lists.debian.org/debian-testing-security-announce/2008/12/msg00019.html http://lists.debian.org/debian-testing-security-announce/2010/01/msg00000.html Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic |