How to keep debian current??
in [Debian]
|
Prev: Updraiding or reinstalling?
Next: More important question... (was Re: How to keep debian current??)
From: John Hasler on 18 May 2010 17:40 Andrei writes: > Please note that the Security Team does not monitor unstable. It is up > to the individual maintainer to fix the issue. ^^^^^ Please. It's a bug or a problem. Microsoft has "issues". -- John Hasler -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/87zkzw6hfc.fsf(a)thumper.dhh.gt.org
From: Osamu Aoki on 18 May 2010 21:40 On Tue, May 18, 2010 at 12:58:24PM -0500, John Hasler wrote: > Osamu Aoki writes: > > Sid is secure since security team usually upload fixed packages to > > both stable/updates and unstable. > > The security team does not support Sid. That's up to the individual > package maintainers. True. But I see quite a bit of NMU when this situation happens with a package maintained by a lazy maintainer. > > Or simply uploading updated upstream fixes unstable... > > That's what the package maintainer usually does. Yes. I was not precise. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100519012155.GA7693(a)osamu.debian.net
From: Osamu Aoki on 18 May 2010 22:10 Hi, There are 2 different topics. * Which is better shape "testing" or "unstable" for security issues? (original question) * What dees security team do and ensures? On Tue, May 18, 2010 at 02:21:20PM -0500, Mark Allums wrote: > On 5/18/2010 10:34 AM, Osamu Aoki wrote: > > On Mon, May 17, 2010 at 11:07:10AM -0500, Mark Allums wrote: > > >> Thank you. This is contrary to what the main Debian site says in > >> multiple places, but it is plausible. Good to know. > > > > Could you be more specific where you saw them or where you got this > > impression? So we can make corrective action to reduce confusion. > > http://www.debian.org/distrib/packages > > This area contains the most recent packages in Debian. Once a package > has met our criterion for stability and quality of packaging, it will be > included in testing. unstable is also not supported by the security team. I see: "unstable is also not supported by the security team". This is true as official stance of secutrty team. But I also see quite a bit of NMU by many DD (or by the maintainer) on unstable package fixing security issues using the latest upsream. So it is getting some security fixes (but not by security team.) Testing security update requires much more work and security team has resource issues to be throrough as they want. Thus coming back to original question on security support situation: testing vs. unstable ? answer: practically 0 security support vs. some security support ^ but not by security team. | |--- usualy wait for migration of fixed package from unstable (Sometimes, migration takes quite a long time) The unstable is better shape in general. But it is not as secure as the stable system with secutity updates by the security team. > http://www.debian.org/doc/manuals/securing-debian-howto/ch2.en.html#s2.3 > http://www.debian.org/security/faq#unstable All these are true statement. If a package is dead upstream with slow maintainer, such package may stay in unstable with security issues and RC bugs. Osamu -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100519014536.GB6644(a)osamu.debian.net
From: Osamu Aoki on 19 May 2010 10:50 On Tue, May 18, 2010 at 11:00:41PM +0300, Andrei Popescu wrote: > > How about this instead of the last paragraph: > > --- > Please note that the Security Team does not monitor unstable. It is up > to the individual maintainer to fix the issue. YES > This may under circumstances take longer, e.g. if the maintainer is > waiting for a new version from upstream. Is this realistic description? It is usually lazy mantainer or dead upstream which delay such fixes. Upstream fix should likely be around if someone fixed that for stable. > There are also no Debian Security Advisories > (DSA) for issues that are present in the unstable version of a software, > but not the versions in stable and/or testing. I see... I now think placing pointer to FAQ should be good idea to explain all these issues. I need to think think about the context of these. This was in section describing "archive". (I have other place where I say "For your **production server**, the `stable` suite with the security updates is recommended.") So I am updating as: TIP: If "`sid`" is used in the above example instead of "`@-@codename-stable@-@`", the "`deb: http://security.debian.org/ ...`" line for security updates in the "`/etc/apt/sources.list`" is not required. This is because there is no security update archive for "`sid`" (`unstable`). NOTE: The security bugs for the `stable` archive are fixed by the Debian security team. This activity has been quite rigorous and reliable. Those for the `testing` archive may be fixed by the Debian testing security team. For several reasons, this activity is not as rigorous as that for `stable` and you may need to wait for the migration of fixed `unstable` packages. Those for the `unstable` archive are fixed by the individual maintainer. Actively maintained `unstable` packages are usually in a fairly good shape by leveraging latest upstream security fixes. See http://www.debian.org/security/faq[Debian security FAQ] for how Debian handles security bugs. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100519142801.GA9148(a)osamu.debian.net
From: Boyd Stephen Smith Jr. on 19 May 2010 10:50
On Tuesday 18 May 2010 20:45:36 Osamu Aoki wrote: > Hi, > > There are 2 different topics. > > * Which is better shape "testing" or "unstable" for security issues? > (original question) My gut, based on both the discussions in the thread and sources on the debian.org site, tells me that Sid is slightly better, for now. When the security team has the resources to pay attention to testing (perhaps during the freeze?), they are about on par with each other. Stable+security is, of course, the best but the versions of the software available there may not be sufficient for your needs. Using backports doesn't help here -- security updates to backports are done is roughly the same way security updates to Sid are. > * What dees security team do and ensures? The security team is responsible for preparing new package versions for stable and oldstable, since it is rarely appropriate for security upgrades to be delayed until the next point release. They follow Debian policy on this and no not package new upstream versions, but instead cherry-pick and backport the patches required to fix the issue. Some upstream projects make this difficult, and in rare cases those packages will be "abandoned" by the security team. AFAIK, there's no list of these packages available, you have to monitor the security-announce mailing list to be notified. In addition, the security team is responsible for preparing the Debian Security Advisories (DSAs) that are sent to the security-announce list when a security vulnerability is identified and fixed. Besides providing on-time notification of fixes, this also ties the vulnerability to CVE numbers so persons or organizations that track issues there can easily determine the status of that vulnerability in Debian. Finally, when the security team has enough manpower, they provide security updates to testing, usually by accelerating the migration of a package version from Sid. Any DD can perform a NMU to a package in Sid that has an open security issue. Members of the security team sometimes to this for packages in Sid, but it is usually left up to the maintainer. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss(a)iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/ |