How to keep debian current??
in [Debian]
|
Prev: Updraiding or reinstalling?
Next: More important question... (was Re: How to keep debian current??)
From: Andrei Popescu on 19 May 2010 13:10 On Wed,19.May.10, 23:28:01, Osamu Aoki wrote: > > So I am updating as: > > TIP: If "`sid`" is used in the above example instead of > "`@-@codename-stable@-@`", the "`deb: http://security.debian.org/ ...`" > line for security updates in the "`/etc/apt/sources.list`" is not > required. This is because there is no security update archive for > "`sid`" (`unstable`). > > NOTE: The security bugs for the `stable` archive are fixed by the Debian > security team. This activity has been quite rigorous and reliable. > Those for the `testing` archive may be fixed by the Debian testing > security team. For several reasons, this activity is not as rigorous as > that for `stable` and you may need to wait for the migration of fixed > `unstable` packages. Those for the `unstable` archive are fixed by the > individual maintainer. Actively maintained `unstable` packages are > usually in a fairly good shape by leveraging latest upstream security > fixes. See http://www.debian.org/security/faq[Debian security FAQ] > for how Debian handles security bugs. Sounds good to me. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
From: Jesús M. Navarro on 21 May 2010 21:10 Hi, Osamu: On Wednesday 19 May 2010 03:45:36 Osamu Aoki wrote: > Hi, > > There are 2 different topics. > > * Which is better shape "testing" or "unstable" for security issues? > (original question) The answer is "it depends". As already stated, there are no security updates on Sid 'per se', but they depend on upstream maintainers provinding a new version that hopefully will resolve the problem *and* its ability to go into Sid. I.e.: Case A) Big security problem discovered on foo 1.2.3; the upstream maintainer produces foo 1.2.4 which resolves the problem and in a few hours (provided the Debian maintainer is avaliable) it goes into Sid. A week later foo 1.2.4 gets promoted into Testing. So in this case, Sid is a bit head of Testing. Case B) Big security problem discovered on foo 1.2.3; the upstream maintainer is more interested on his upcoming great uberversion foo 2, so he doesn't fix by means of 1.2.4 but by accounting for the problem on the foo 2 branch. Since foo 2 depends on a lot of a helluva of other packages it takes two months for foo 2 to get into Sid. Meanwhile, the Security team, aware of the security problem, produces foo 1.2.3-patch1 backporting the security fix and it goes directly into Testing, since Sid it's waiting for the new 2 branch. In this case Testing is the one ahead of Sid. All in all, if you are so concerned about security it's because you value the system to be running in a reasonably secure and dependable way. That means you should be concerned not only about security problems but about integration problems too (so a package in a broken state for two weeks is a bad idea even if it's not because security problems but because "simple" bugs). In this regard, the overall ballance I think still favours Testing: it usually will be a bit bellow Sid regarding security, but it might become ahead on really concerning security problems, but definetly it will be *always* ahead of Sid regarding general avaliability and dependability (since most bugs and blockages will be retained at Sid and packages will only move into Testing when most problems are already tamed down). My simple rule about Debian has always been: * Stable, if you just want to use Debian. * Testing, if you want a peek over what Debian will be on next release and want to help to hunt down the non-obvious bugs (probably because you depend on the quality of Debian Stable and that's what you can do to help going for it). * Sid, if you look for fun and have at least a mild desire to become a day a DD. If you don't want to open and follow a lot of bugs, provide patches from time to time and follow the devel lists, you'd probably be better out of the loop and stay on Stable or Testing. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/201005220303.42972.jesus.navarro(a)undominio.net
From: Osamu Aoki on 22 May 2010 03:30 Hi, On Sat, May 22, 2010 at 03:03:42AM +0200, Jesús M. Navarro wrote: > Hi, Osamu: > > On Wednesday 19 May 2010 03:45:36 Osamu Aoki wrote: > > Hi, > > > > There are 2 different topics. > > > > * Which is better shape "testing" or "unstable" for security issues? > > (original question) > > The answer is "it depends". We all know this .... and I am OK with what you are talking except one point. > As already stated, there are no security updates on Sid 'per se', but they > depend on upstream maintainers provinding a new version that hopefully will > resolve the problem *and* its ability to go into Sid. ... > Meanwhile, the Security team, aware of the > security problem, produces foo 1.2.3-patch1 backporting the security fix and > it goes directly into Testing, since Sid it's waiting for the new 2 branch. > In this case Testing is the one ahead of Sid. Wrong assumption. Security updates to testing is not so often as we wish to be. (Already pointed out in the thread.) Le me remind you. http://lists.debian.org/debian-testing-security-announce/2010/01/msg00000.html This say: > Most of the security work done for the testing distribution during > the last months has been through unstable and a few occasional DTSAs, > because of to the team being understaffed. The reality is we are under staffed to do many things as much as we wish. Your contribution is most appreciated. Osamu -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100522070444.GA2680(a)osamu.debian.net
From: Andrei Popescu on 22 May 2010 03:50 On Sat,22.May.10, 03:03:42, Jesús M. Navarro wrote: > The answer is "it depends". > > As already stated, there are no security updates on Sid 'per se', but they > depend on upstream maintainers provinding a new version that hopefully will > resolve the problem *and* its ability to go into Sid. > > I.e.: > Case A) Big security problem discovered on foo 1.2.3; the upstream maintainer > produces foo 1.2.4 which resolves the problem and in a few hours (provided > the Debian maintainer is avaliable) it goes into Sid. A week later foo 1.2.4 > gets promoted into Testing. So in this case, Sid is a bit head of Testing. Usually security fixes are uploaded "priority=high", which means faster migration (3 days?). Sid is still ahead, but not by 10 days. > Case B) Big security problem discovered on foo 1.2.3; the upstream maintainer > is more interested on his upcoming great uberversion foo 2, so he doesn't fix > by means of 1.2.4 but by accounting for the problem on the foo 2 branch. > Since foo 2 depends on a lot of a helluva of other packages it takes two > months for foo 2 to get into Sid. Meanwhile, the Security team, aware of the > security problem, produces foo 1.2.3-patch1 backporting the security fix and > it goes directly into Testing, since Sid it's waiting for the new 2 branch. > In this case Testing is the one ahead of Sid. During this cycle the security support is not there (yet). Might happen during the freeze. But also the maintainer might take the *stable* patch and adapt it for the package in sid ;) > In this regard, the overall ballance I think still favours Testing: it usually > will be a bit bellow Sid regarding security, but it might become ahead on > really concerning security problems, but definetly it will be *always* ahead > of Sid regarding general avaliability and dependability (since most bugs and > blockages will be retained at Sid and packages will only move into Testing > when most problems are already tamed down). Makes sense. And if you care about security do subscribe to debian-security-announce and debian-testing-security-announce. You don't need the later if you run pure stable, but makes sense in any other mix (including backports). The traffic of both lists combined is about one message per day. > My simple rule about Debian has always been: > * Stable, if you just want to use Debian. I install stable as much as I can due to: - security support - low maintenance overhead Once installed just watch debian-security-announce (and debian-announce for point releases if you don't use proposed-updates) and update/safe-upgrade as needed. > * Testing, if you want a peek over what Debian will be on next release and > want to help to hunt down the non-obvious bugs (probably because you depend > on the quality of Debian Stable and that's what you can do to help going for > it). I installed testing for people who thought Debian is just too old (usually with KDE 4, which makes a good impression to Windows users). Unless the user already has some Debian experience it's a must have that I can somehow regularly access the system (usually ssh). > * Sid, if you look for fun and have at least a mild desire to become a day a > DD. If you don't want to open and follow a lot of bugs, provide patches from > time to time and follow the devel lists, you'd probably be better out of the > loop and stay on Stable or Testing. I would get terribly bored if I was to run anything else but sid on my own laptop. The only other machine at home is now pure stable, but mpd won't play my favorite stream (aac unfortunately). Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
From: Celejar on 23 May 2010 15:50
On Sat, 22 May 2010 03:03:42 +0200 "Jesús M. Navarro" <jesus.navarro(a)undominio.net> wrote: .... > My simple rule about Debian has always been: > * Stable, if you just want to use Debian. > * Testing, if you want a peek over what Debian will be on next release and > want to help to hunt down the non-obvious bugs (probably because you depend > on the quality of Debian Stable and that's what you can do to help going for > it). > * Sid, if you look for fun and have at least a mild desire to become a day a > DD. If you don't want to open and follow a lot of bugs, provide patches from > time to time and follow the devel lists, you'd probably be better out of the > loop and stay on Stable or Testing. You omit two very good reasons (although they certainly aren't dispositive, and will not be relevant for many) to use Sid: support for newer hardware, and inclusion of newer software. I know that this has all been rehashed a million times already, but I just wanted to clarify your summary. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100523154244.6bbede1a.celejar(a)gmail.com |