Rick Moen wrote:
>Quoting Niall Walsh (linux at esatclear.ie):
>>>>>I'm fairly certain Debian only releases security advisories for
>>packages in stable. If an issue doesn't effect stable, no advisory
>>will be released, and the problem will simply be fixed by a
>>urgency=high upload to unstable.
>>>>>>This is an excellent point, and points out the biggest drawback of
>keeping a system on the "testing" branch, even one with easy access to
>"unstable" packages, whose owner attentively skim-reads all Debian
>Security Advisories: You might _still_ be unaware of an suddenly urgent
>need, on account of a security emergency, to do
>># apt-get update && apt-get -t unstable install [packagename]
>>...to plug that package's security hole.
>>Hence I don't recommend running testing (and neither does debian) unless
you understand what is going on! It comes full circle :-)
http://www.debian.org/security/faq#testing
/Q: How is security handled for testing and unstable?/
A: The short answer is: it's not. Testing and unstable are rapidly
moving targets and the security team does not have the resources needed
to properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable. However, the
security secretaries will try to fix problems in testing and unstable
after they are fixed in the stable release.
>What would really be handy, in fact, would be an automated announce-only
>"alert" mailing list sending out all changelogs of urgency=high uploads
>to unstable. Pity it doesn't exist (to my knowledge). I might try to
>create one.
>>>Any idea what sort of traffic this would generate, and what % of the
traffic would actually feature security issues? It is a good idea
How about hooking it into a customised moderated forum (each mail is a
new story) to provide a peer-to-peer distributed security team for
testing/unstable, it could even release it's own Package files (or dummy
packages or something) for testing and unstable which people could use
to keep up to date? Just an idea out to the world in general, not
asking you to do it, just get the idea out there rather then forgetting
all about it. It would also act as an ideal recruitment ground for new
members for the debian-security team!
It would be nice if there was any common way for packages solving
security issues to be flagged but that would presumably require a change
to debian policy ... perhaps an urgency=security tag which could even
extend into apt-get et all. Of course in an ideal world it would also
tell you which versions are impacted, but that is exactly what the
debian security team doesn't have time to do, but perhaps the
maintainers can for unstable/testing as they generally probably
understand the packages quite well? I'd always be loathe to suggest
extra work for the debian package maintainers, but perhaps this isn't
too onerous and would be acceptable?
Niall Walsh
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
