Quoting Liam Bedford (lbedford at lbedford.org):
> On Mon, 24 Jun 2002 09:59:41 +0100
> "Wynne, Conor" <conor_wynne at maxtor.com> blurted in message
>0D443C91DCE9CD40B1C795BA222A729EDF8212 at milexc01.maxtor.com:
>> If you're running the Debian "stable" branch (currently 2.2 = "potato"),
>> then I strongly recommend stepping up to the "testing" branch (currently
>> 3.0 = "woody"). It strikes the right balance of leading edge but not
>> cutting edge.
>> that fine if you don't mind being compromised (and are running a server).
> There are no security updates for testing at the moment, as they haven't got
> the security infrastructure in place (which is the reason it hasn't been
> released).
First of all, that _wasn't_ Conor who posted the quoted text, it was I.
Please get your attributions straight.
Second, what do you call this, then?
:r! grep security /etc/apt/sources.list
deb http://security.debian.org testing/updates main contrib non-free
Third, I've run the testing branch on fully Internet-exposed servers
almost since that branch was created, and long before the Debain
Security team opened the apt-get repository for it -- and my not
suffering compromises was hardly just dumb luck: Not only do I
carefully run only needed services, and so have only a few carefully
selected daemons to worry about, but also follow security advisories.
If no "testing" version has a needed fix, I can manually do "apt-get -t
unstable install <package>". _Or just compile a tarball._
Remember ./configure ; make ; make install ? Unless your fingers have
suddenly broken, that still works.
Fourth:
> And it'll take two weeks for the packages to filter in from sid.
The heuristic for clearing package from unstable into testing was only
_briefly_ two weeks without change plus building without error on all
CPU platforms. Your information is out of date. Here you go:
http://people.debian.org/~jules/testingfaq.html
> to quote the maintainer: Debian does not provide security updates for
> testing or for unstable. apache 1.3.26-1 went into sid today. packages
> for woody have been uploaded into the new testing-security system.
> since i have no idea how long that's going to take to be visible to
> users, http://satie.debian.org/~willy/ provides packages for those who
> have foolishly upgraded to a distribution which does not yet provide
> security releases.
Courtesy of the above-referenced security line from my
/etc/apt/sources.list , Apache version 1.3.26-0woody1 _with_ the
correctly fixed chunk-handling code, went onto my systems the same day
that an exploit was found for IA32. I believe that was June 20.
> I'm going to cc debian-devel & debian-user with this so that hopefully
> more people get to see this and STOP FILING BUGS ABOUT THIS.
That would waste their time; they already know all about it.
--
Cheers, The difference between common sense and paranoia is that common sense
Rick Moen is thinking everyone is out to get you. That's normal; they are.
rick at linuxmafia.com Paranoia is thinking they're conspiring. -- J. Kegler
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
