From: Rick Moen (rick at domain linuxmafia.com)
Date: Mon 24 Jun 2002 - 21:25:47 IST
Quoting Liam Bedford (lbedford at domain lbedford.org):
> On Mon, 24 Jun 2002 09:59:41 +0100
> "Wynne, Conor" <conor_wynne at domain maxtor.com> blurted in message
> 0D443C91DCE9CD40B1C795BA222A729EDF8212 at domain milexc01.maxtor.com:
>> If you're running the Debian "stable" branch (currently 2.2 = "potato"),
>> then I strongly recommend stepping up to the "testing" branch (currently
>> 3.0 = "woody"). It strikes the right balance of leading edge but not
>> cutting edge.
>
> that fine if you don't mind being compromised (and are running a server).
> There are no security updates for testing at the moment, as they haven't got
> the security infrastructure in place (which is the reason it hasn't been
> released).
First of all, that _wasn't_ Conor who posted the quoted text, it was I.
Please get your attributions straight.
Second, what do you call this, then?
:r! grep security /etc/apt/sources.list
deb http://security.debian.org testing/updates main contrib non-free
Third, I've run the testing branch on fully Internet-exposed servers
almost since that branch was created, and long before the Debain
Security team opened the apt-get repository for it -- and my not
suffering compromises was hardly just dumb luck: Not only do I
carefully run only needed services, and so have only a few carefully
selected daemons to worry about, but also follow security advisories.
If no "testing" version has a needed fix, I can manually do "apt-get -t
unstable install <package>". _Or just compile a tarball._
Remember ./configure ; make ; make install ? Unless your fingers have
suddenly broken, that still works.
Fourth:
> And it'll take two weeks for the packages to filter in from sid.
The heuristic for clearing package from unstable into testing was only
_briefly_ two weeks without change plus building without error on all
CPU platforms. Your information is out of date. Here you go:
http://people.debian.org/~jules/testingfaq.html
> to quote the maintainer: Debian does not provide security updates for
> testing or for unstable. apache 1.3.26-1 went into sid today. packages
> for woody have been uploaded into the new testing-security system.
> since i have no idea how long that's going to take to be visible to
> users, http://satie.debian.org/~willy/ provides packages for those who
> have foolishly upgraded to a distribution which does not yet provide
> security releases.
Courtesy of the above-referenced security line from my
/etc/apt/sources.list , Apache version 1.3.26-0woody1 _with_ the
correctly fixed chunk-handling code, went onto my systems the same day
that an exploit was found for IA32. I believe that was June 20.
> I'm going to cc debian-devel & debian-user with this so that hopefully
> more people get to see this and STOP FILING BUGS ABOUT THIS.
That would waste their time; they already know all about it.
-- Cheers, The difference between common sense and paranoia is that common sense Rick Moen is thinking everyone is out to get you. That's normal; they are. rick at domain linuxmafia.com Paranoia is thinking they're conspiring. -- J. Kegler
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:28 GMT