Quoting Niall Walsh (linux at esatclear.ie):
> Hence I don't recommend running testing (and neither does debian) unless
> you understand what is going on!
I recommend understanding what's going on. ;-> Again, I really think
keeping a testing+unstable system (w/pinning to testing) system up to
date is no more arduous than for random Linux distributions, which is
the point I keep trying to make in order to restore perspective -- and
from which you keep trying to distract attention, _impairing_ perspective.
Thus my point.
> It comes full circle :-)
Yes, but more my circle than yours. ;->
>http://www.debian.org/security/faq#testing>> Q: How is security handled for testing and unstable?
>> A: The short answer is: it's not. Testing and unstable are rapidly
> moving targets and the security team does not have the resources needed
> to properly support those. If you want to have a secure (and stable)
> server you are strongly encouraged to stay with stable. However, the
> security secretaries will try to fix problems in testing and unstable
> after they are fixed in the stable release.
Like all good FAQs, the Debian Security FAQ serves a couple of goals
simultaneously: It covers factual ground, in order to inform readers,
but it also strongly attempts to discourage readers from hassling the
Debian Security Team. Therefore, it says, paraphrasing, "If you're the
sort of person who's a worrywart about security 'support' and would
otherwise hassle us about solemnly swearing to cover your sorry ass,
then we strongly encourage you to stick to the stable branch and shut
the frell up."
> Any idea what sort of traffic this would generate, and what % of the
> traffic would actually feature security issues? It is a good idea
No idea. Would have to try it.
Meanwhile, I'm (very) unconvinced that DSA postings haven't, for the past
couple of years, more than adequately covered the testing branch
regardless of the Debian Security Team's careful disclaimer of any
promise to reliably do so. I cannot recall any _significant_ security
software issue affecting "testing" (as to software on my systems, at
least) over the last few years that wasn't announced in a DSA. Can you?
Also, your general run of Debian user will typically either read LWN, or
read a LUG mailing list, or something like that, and thus will likely
hear about _urgent_ security matters from those, as well. If he
doesn't, the worst that typically happens is that security updates get
delayed an average of 48 hours or so for the unstable -> testing
automatic quarantining.
On Linux, it's been very rare that getting security updates within a few
days hasn't been good enough.
(I liked some of the ideas you included at the bottom of your post, but
won't comment because I really should think about them before
responding.)
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
