From: Rick Moen (rick at domain linuxmafia.com)
Date: Thu 26 Sep 2002 - 21:52:03 IST
Quoting Gavin's mail with permission.
----- Forwarded message from Rick Moen <rick at domain linuxmafia.com> -----
Date: Thu, 26 Sep 2002 11:53:59 -0700
From: Rick Moen <rick at domain linuxmafia.com>
To: Gavin McCullagh <gavin at domain fiachra.ucd.ie>
Subject: Re: your mail
Quoting Gavin McCullagh (gavin at domain fiachra.ucd.ie):
> just a question I didn't particularly want to bother ILUG with.
> Recently there was a conversation where someone said that security updates
> were unavailable for debian's testing distro (or at least perhaps that they
> were unreliable in there speed of availablity).
> You countered (if I recall correctly) that this had previously been
> the case but was no longer so. I can't recall whether sarge or woody was
> in testing at the time. I was reading something (which I wish I'd
> noted the url of) on the debian site yesterday which said something along
> the lines of that it could be up to a fortnight before sarge's security
> updates would come available and as such not to run it as a server.
> Nearly all of our machines here in the university are running
> regularly patched Woody so I'm not overly worried about them. However my
> own desktop is running Sarge (I didn't like the way so many things were
> unavailable in binary for potato while it was stable and vowed to use
> testing for myself thenceforth).
> Anyway, can you shed light on whether given that I have this line
> in my apt sources
> deb http://security.debian.org/ testing/updates main contrib non-free
> I can actually rely on my system being pretty secure.
That's a very, very good question.
I know I said that about "deb http://security.debian.org/
testing/updates main contrib non-free" on the ILUG list, and at the time
I believed that to be sufficient access to security updates, but
recently I've become unsure.
The Debian Security Team, at http://www.debian.org/security/faq#testing,
Q: How is security handled for testing and unstable?
A: The short answer is: it's not. Testing and unstable are rapidly
moving targets and the security team does not have the resources needed
to properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable. However, the
security secretaries will try to fix problems in testing and unstable
after they are fixed in the stable release.
Of course, that information might be obsolete. The existence of the
security collection for testing, referenced above, argues that it's
obsolete. I'm honestly not sure what to make of all this. To make
very sure, I personally subscribe to DSAs (Debian Security Advisories)
and try to follow up manually on ones that may affect me.
One silver lining for this cloud: It used to be that packages routinely
took a fortnight to clear package quarantining from unstable into
testing. But the automated quarantine heuristics have changed: They're
no longer quite so simple a rule, but they also typically involve a much
shorter time period (usually 1-2 days)
Of course, there is no guarantee that a package maintainer will perform
a timely security patch and include it in new uploads to unstable. In
theory, the Security Team's packages are your safety net, in case such
as maintainer doesn't do that task. That is part of the reason why I
both add that testing-security line to sources.list and attentively read
Sorry I can't give you a more-definitive answer. I happen to subscribe
to the debian-security mailing list (as well), so I really ought to post
there, asking for clarification.
I also really ought to post this back to ILUG, if only as a qualifier to
the earlier statement I made, there. Since I've quoted your private
mail in this reply, I'll do so only if you say you don't mind.
-- Cheers, "The front line of defense against such sophisticated Rick Moen viruses is a continually evolving computer operating rick at domain linuxmafia.com system that attracts the efforts of eager software developers." -- Bill Gates ----- End forwarded message -----
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:19:06 GMT