Re: backports security
Hi, Paul: On Saturday 21 November 2009 00:36:12 Paul E Condon wrote: On 20091120_212056, Jes?s M. Navarro wrote: [...] Unfortunately? I'd better say by design. Unstable/Testing is not there to provide a product to final users but to provide a testbed for software integration. If there's a problem with a software package you: a) Resolve it if it's a problem with the way Debian packages it. b) Wait for upstream to resolve the problem. I don't see how deriving away to those goals would be in benefit of anyone, even if you could count with enough hands to manage the task. I in fact find that too many times package maintainers are to bland regarding what their real work should be in that neither unstable nor testing is the testbed for *the programs* but for their packaging so I wouldn't send to unstable software known to be non-production ready (i.e.: KDE prior to 4.4 or even 4.5). Your position is commendable as an ideal way to operate Debian, but ... In the real world, there a lot of people who are quite unaware of how special Debian is Therefore the proper path of action is tell them what to expect. I think it's even in the Bible: teach the ignorant. Without backports, these people would be constantly nagging for a way to cross-install packages from other distros. I won't buy that. Without backports *and* knowledge, maybe. Backports fill an important and interesting hole, but come to a price. Using third party packages (may) fill an important hole, but come to a price. It is both the responsibility and the advantage of the user to know how it is expected from them to use some tools and, anyway, what's the price they'll have to pay for them, so they can properly find the cost/benefit equation. No one is benefiting anyone by hiding the related costs of a choosing till it's too late. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: backports security
Hi Gerfried: On Thursday 19 November 2009 13:55:25 Gerfried Fuchs wrote: Hi! Thanks to Sven for bringing the thread to my attention. * Sven Hoexter s...@timegate.de [2009-11-19 08:42:49 CET]: On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote: I have searched backport, wiki web sites and still can not backports.org is not under the hands of the Debian security team. Likewise with unstable and testing these days unfortunately. Too little people able to put their efforts into it, overworked and stuff. Unfortunately? I'd better say by design. Unstable/Testing is not there to provide a product to final users but to provide a testbed for software integration. If there's a problem with a software package you: a) Resolve it if it's a problem with the way Debian packages it. b) Wait for upstream to resolve the problem. I don't see how deriving away to those goals would be in benefit of anyone, even if you could count with enough hands to manage the task. I in fact find that too many times package maintainers are to bland regarding what their real work should be in that neither unstable nor testing is the testbed for *the programs* but for their packaging so I wouldn't send to unstable software known to be non-production ready (i.e.: KDE prior to 4.4 or even 4.5). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: backports security
On 20091120_212056, Jes?s M. Navarro wrote: Hi Gerfried: On Thursday 19 November 2009 13:55:25 Gerfried Fuchs wrote: Hi! Thanks to Sven for bringing the thread to my attention. * Sven Hoexter s...@timegate.de [2009-11-19 08:42:49 CET]: On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote: I have searched backport, wiki web sites and still can not backports.org is not under the hands of the Debian security team. Likewise with unstable and testing these days unfortunately. Too little people able to put their efforts into it, overworked and stuff. Unfortunately? I'd better say by design. Unstable/Testing is not there to provide a product to final users but to provide a testbed for software integration. If there's a problem with a software package you: a) Resolve it if it's a problem with the way Debian packages it. b) Wait for upstream to resolve the problem. I don't see how deriving away to those goals would be in benefit of anyone, even if you could count with enough hands to manage the task. I in fact find that too many times package maintainers are to bland regarding what their real work should be in that neither unstable nor testing is the testbed for *the programs* but for their packaging so I wouldn't send to unstable software known to be non-production ready (i.e.: KDE prior to 4.4 or even 4.5). Your position is commendable as an ideal way to operate Debian, but ... In the real world, there a lot of people who are quite unaware of how special Debian is, and think, quite unrealistically, that it is just another variant of RedHat or Ubuntu or whatever. Without backports, these people would be constantly nagging for a way to cross-install packages from other distros. I think life would actually be a lot less pleasant for people like you who want to work on a good, solid, reliable distro. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: backports security
Hi! Thanks to Sven for bringing the thread to my attention. * Sven Hoexter s...@timegate.de [2009-11-19 08:42:49 CET]: On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote: I have searched backport, wiki web sites and still can not understand: does debian security team works with its packages or not? In other words, using stable only and desiring the same security quality, I would not use the backports repo? Am i correct? backports.org is not under the hands of the Debian security team. Likewise with unstable and testing these days unfortunately. Too little people able to put their efforts into it, overworked and stuff. Usually backports are based on packages from testing, in case of security issue uploads based on packages from unstable are allowed aswell. It's usually the uploader of the backport who is responsible to care for uploads in case of security issue. So it doesn't hurt if you keep an eye on the backports aswell that you install. Since you should install only selected backports where needed you've to monitor just those very few selected packages. I tried to track it myself and pester people to update their packages, though currently I'm in a bit of time constrain trouble myself and have to priorize other things, it's not like if I wouldn't like to continue on that front. :/ Additionaly there is a backports-security-announce list where backporters announce security relevant uploads. And there is support in the security-tracker to look up open issues and pester people that don't update their packages on backports when the fix did finally hit unstable. Fell free to follow the links from http://security-tracker.debian.org/tracker/ about Vulnerable packages in backports. Gerfried: Maybe that's something that should be noted in the FAQ aswell? Is now, was overdue, and thanks for the prod. :) Rhonda -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
backports security
Good day. I have searched backport, wiki web sites and still can not understand: does debian security team works with its packages or not? In other words, using stable only and desiring the same security quality, I would not use the backports repo? Am i correct? Thank You for Your time. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: backports security
On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote: Good day. I have searched backport, wiki web sites and still can not understand: does debian security team works with its packages or not? In other words, using stable only and desiring the same security quality, I would not use the backports repo? Am i correct? backports.org is not under the hands of the Debian security team. Usually backports are based on packages from testing, in case of security issue uploads based on packages from unstable are allowed aswell. It's usually the uploader of the backport who is responsible to care for uploads in case of security issue. So it doesn't hurt if you keep an eye on the backports aswell that you install. Since you should install only selected backports where needed you've to monitor just those very few selected packages. Additionaly there is a backports-security-announce list where backporters announce security relevant uploads. Gerfried: Maybe that's something that should be noted in the FAQ aswell? Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - 03:45: No sleep] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [backports security]
* Johannes Wiedersich [2006-06-01 17:53]: Felix C. Stegerman wrote: Do you know what would be the best way to make sure I don't miss any of those updates? If I backport e.g. mysql from unstable/testing, will I be able to rely on security announcements to debian-security, or do I need to check for new vulnerabilities upstream? Just looking up http://www.de.debian.org/security/faq Security breakage in the stable distribution warrants a package on security.debian.org. Anything else does not. Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, work is in progress to change this, with the formation of a testing security team which has begun work to offer security support for testing, and to some extent, for unstable. If security and reliability are important, I'd stick to stable. Period. YMMV. I'll stick with stable and backport mysql, vim and the kernel myself. I've been meaning to read the Debian New Maintainers' Guide anyway ;-) I guess I'll just have to monitor upstream security announcements and hope that I won't have to bring the service/server down (long) in case any serious vulnerabilities are discovered. Fortunately, the only users that will (should) be able to log in to my server will be some friends and colleagues, so I should only have to worry about keeping apache2 (which is in sarge) and my own backport of mysql secure. I might even restrict access to Public Key SSH only (users can always forward port 80 to their local machines to access the wiki) It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV. I'm more concerned about security than reliability. I can handle occasional downtime if something breaks, but I'd rather avoid my system being compromised. I meant to write reliability AND security. About 'occsional downtime': If it's a server that is supposed to be online 12 month per year, you should also consider the implications of a downtime while you are on vacation or have other important things to do ;-) Many thanks for your insights ;-) - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpE2AjzqEgwB.pgp Description: PGP signature
Re: [backports security]
* Roberto C. Sanchez [EMAIL PROTECTED] [2006-06-01 16:33]: Felix C. Stegerman wrote: I'm running unstable on my desktop (well, actually a laptop), so I'm accustomed to the occasional breakage and could probably live with it. I'm just reluctant to use unstable on a production server connected to the internet, because I don't want to leave the server (potentially) vulnerable. If, however, security updates to unstable are reliable enough, I would seriously consider using it (and test upgrades on my laptop first). Would you say unstable is reliable enough to use on a production server that can handle occasional downtime? Without any unnecessary risk of leaving it open to vulnerabilities? Personally, I stick to stable servers since I don't have time to babysit them through frequent dist-upgrades. If you need only a few more recent packages, then stable+backports is probably your best bet. If you need lots of new packages, then unstable might work for you. However, you must realize that many (nearly all) Debian developers are volunteers (i.e., their employers do not pay them to work on Debian full time) and so packages can fall behind upstream releases because the maintainer gets busy. For a good example of this, see http://bugs.debian.org/src:cyrus-sasl2 The cyrus-sasl2 package is arguably a very important package. However, it is now something like three or four minor versions behind upstream and has a ton of bugs. That is not a good situation and the maintainer has recently orphaned it. However, there is enough attention from other Debian developers that at least security issues are resolved. I would be careful of using a server running on unstable that uses packages which have been orphaned, as those are generally the least likely to receive attention. As I replied to Johannes Wiedersich, I've decided to go with stable and do some backports myself. Many thanks for your insights. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgp28yGyCBaX9.pgp Description: PGP signature
Re: [backports security]
Felix C. Stegerman writes: I'll stick with stable and backport mysql, vim and the kernel myself. First check backports.org. Someone probably has already done it (and there are 2.6 kernels in Stable). -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [backports security]
* John Hasler [EMAIL PROTECTED] [2006-06-04 18:34]: Felix C. Stegerman writes: I'll stick with stable and backport mysql, vim and the kernel myself. First check backports.org. Someone probably has already done it (and there are 2.6 kernels in Stable). backports.org has mysql-server 5.0, but neither vim 7.0 nor linux-image 2.6.16 for powerpc. And since the latest 2.6 kernels for ppc are much better than older ones, I'd rather use 2.6.16 then 2.6.8. Thanks for the tip though. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpacaelmcs4k.pgp Description: PGP signature
Re: [backports security]
Felix C. Stegerman [EMAIL PROTECTED] wrote: * Also, since even backports.org does not seem to have vim 7.0 and kernel 2.6.16 (yet), what would be the best way/place to get these from ? Should I (try to) backport them myself ? It is said that compiling your own kernel with make-kpkg should be pretty easy. It generates a kernel package which you can than install with dpkg -i. Never tried it myself though ... Compiling smaller software is generally just a matter of running make make install. YMMV Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [backports security]
* Andrei Popescu [EMAIL PROTECTED] [2006-06-01 08:10]: * Also, since even backports.org does not seem to have vim 7.0 and kernel 2.6.16 (yet), what would be the best way/place to get these from ? Should I (try to) backport them myself ? It is said that compiling your own kernel with make-kpkg should be pretty easy. It generates a kernel package which you can than install with dpkg -i. Never tried it myself though ... Compiling smaller software is generally just a matter of running make make install. YMMV I know ;-) I've used make-kpkg a lot. I'm not sure whether it's easy to install one of the newer kernels (even a self-compiled one) on sarge though, since it may depend on newer versions of e.g. yaird. Thanks anyway. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpK69H2amH59.pgp Description: PGP signature
Re: [backports security]
* Robert Van Horn [EMAIL PROTECTED] [2006-06-01 08:41]: * Are you using unofficial repositories (e.g. backports.org) on production servers ? * Do you (and can I) trust backports.org ? * Also, since even backports.org does not seem to have vim 7.0 and kernel 2.6.16 (yet), what would be the best way/place to get these from ? Should I (try to) backport them myself ? Hi, I use unstable on 6 production servers with very little problem. I compile my own kernels and use mysql out of the box from http://dev.mysql.com/downloads/ I'm using gvim 6.4.1 so don't know about 7.0. Also I find it nicer to compile apache outside of debian - easier for me to keep track of multiple http servers in /usr/local/ than wherever debian puts them. If there is a mess up on an upgrade it can be a big pain to fix. I've thought about using unstable (see an earlier thread I started), and decided to go with stable instead. But it's nice to know that unstable can be used with very little problem. Next time, please reply on-list, and don't top-post. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpv7Yb8xP1wp.pgp Description: PGP signature
Re: [backports security]
Felix C. Stegerman wrote: I'm about to install sarge on a (production) server of my own, and would rather like to have the latest versions of: * mysql (5.0) * vim (7.0) * the Linux kernel (2.6.16) [ppc] The latter will probably cause the most problems. The Debian packages of the later kernels depend on an later version of libc6, with all the further dependency implications. You will probably be able to use the kernels you compile yourself. For the rest, you could consider mixing stable and testing (through APT pinning.) MySQL 5 is definitely in testing and vim 7 will make it there eventually. Hope this helps, -- George Borisov DXSolutions Ltd signature.asc Description: OpenPGP digital signature
Re: [backports security]
Felix C. Stegerman wrote: Hi, I'm about to install sarge on a (production) server of my own, and would rather like to have the latest versions of: * mysql (5.0) * vim (7.0) * the Linux kernel (2.6.16) [ppc] Since these are not in sarge, I'm considering using backported versions from backports.org. I was however unable to find much information on the effect on security of using backports.org. Since this server will expose several services to the internet (apache, subversion, mysql), I want to make sure that it is, and stays, secure. So these are my questions: * Are you using unofficial repositories (e.g. backports.org) on production servers ? Not any more, but I used to when I needed a more recent samba than that on woody. (Now using sarge). I now use it on my productive laptop for kernel and OO 2.0, but the latter only very seldom. * Do you (and can I) trust backports.org ? I'm not from backports.org, but I don't know why you should trust their mysql 5.0 less than what you would backport yourself. In both cases, the chance to miss an important security update etc. is probably higher than on stable, but you already knew that. If trust is of utmost importance, it is always better to compile yourself; and if anything goes wrong you know whom to blame :=)) (You could achieve even more trust, if you scrutinize the source code line by line before compiling... ) It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV. Johannes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [backports security]
Felix C. Stegerman [EMAIL PROTECTED] wrote: * Andrei Popescu [EMAIL PROTECTED] [2006-06-01 08:10]: * Also, since even backports.org does not seem to have vim 7.0 and kernel 2.6.16 (yet), what would be the best way/place to get these from ? Should I (try to) backport them myself ? It is said that compiling your own kernel with make-kpkg should be pretty easy. It generates a kernel package which you can than install with dpkg -i. Never tried it myself though ... Compiling smaller software is generally just a matter of running make make install. YMMV I know ;-) I've used make-kpkg a lot. I'm not sure whether it's easy to install one of the newer kernels (even a self-compiled one) on sarge though, since it may depend on newer versions of e.g. yaird. You could avoid yaird by compiling everything in. I think the only problem would be udev, but I may be wrong Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [backports security]
Felix C. Stegerman wrote: I've thought about using unstable (see an earlier thread I started), and decided to go with stable instead. But it's nice to know that unstable can be used with very little problem. In general, there are not too many problems or breakages with unstable. Occasionally, complex packages will experience RC bugs or other such things will happen. Security is generally handled quickly as well, as new package versions are first uploaded into unstable anyways. The problem is that as an administrator, you have no guarantee that the behavior of your system will remain the same from one dist-upgrade to the next. If you are running services in production, this could be a problem. If you can stand occasional down time while you sort out such issues or if you have additional test servers, this tends to not be as much of a problem. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: [backports security]
* Johannes Wiedersich [2006-06-01 12:39]: I'm about to install sarge on a (production) server of my own, and would rather like to have the latest versions of: * mysql (5.0) * vim (7.0) * the Linux kernel (2.6.16) [ppc] Since these are not in sarge, I'm considering using backported versions from backports.org. I was however unable to find much information on the effect on security of using backports.org. Since this server will expose several services to the internet (apache, subversion, mysql), I want to make sure that it is, and stays, secure. So these are my questions: * Are you using unofficial repositories (e.g. backports.org) on production servers ? Not any more, but I used to when I needed a more recent samba than that on woody. (Now using sarge). I now use it on my productive laptop for kernel and OO 2.0, but the latter only very seldom. * Do you (and can I) trust backports.org ? I'm not from backports.org, but I don't know why you should trust their mysql 5.0 less than what you would backport yourself. In both cases, the chance to miss an important security update etc. is probably higher than on stable, but you already knew that. Do you know what would be the best way to make sure I don't miss any of those updates? If I backport e.g. mysql from unstable/testing, will I be able to rely on security announcements to debian-security, or do I need to check for new vulnerabilities upstream? If trust is of utmost importance, it is always better to compile yourself; and if anything goes wrong you know whom to blame :=)) (You could achieve even more trust, if you scrutinize the source code line by line before compiling... ) It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV. I'm more concerned about security than reliability. I can handle occasional downtime if something breaks, but I'd rather avoid my system being compromised. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpHSa3d2mJbi.pgp Description: PGP signature
Re: [backports security]
* George Borisov [EMAIL PROTECTED] [2006-06-01 11:39]: Felix C. Stegerman wrote: I'm about to install sarge on a (production) server of my own, and would rather like to have the latest versions of: * mysql (5.0) * vim (7.0) * the Linux kernel (2.6.16) [ppc] The latter will probably cause the most problems. The Debian packages of the later kernels depend on an later version of libc6, with all the further dependency implications. You will probably be able to use the kernels you compile yourself. For the rest, you could consider mixing stable and testing (through APT pinning.) MySQL 5 is definitely in testing and vim 7 will make it there eventually. Wouldn't mixing stable and testing be less secure than using backports? Or is security support for testing good enough to rely on for (some packages on) production servers? - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgplJGDxaVy7e.pgp Description: PGP signature
Re: [backports security]
* Roberto C. Sanchez [2006-06-01 14:59]: Felix C. Stegerman wrote: I've thought about using unstable (see an earlier thread I started), and decided to go with stable instead. But it's nice to know that unstable can be used with very little problem. In general, there are not too many problems or breakages with unstable. Occasionally, complex packages will experience RC bugs or other such things will happen. Security is generally handled quickly as well, as new package versions are first uploaded into unstable anyways. The problem is that as an administrator, you have no guarantee that the behavior of your system will remain the same from one dist-upgrade to the next. If you are running services in production, this could be a problem. If you can stand occasional down time while you sort out such issues or if you have additional test servers, this tends to not be as much of a problem. I'm running unstable on my desktop (well, actually a laptop), so I'm accustomed to the occasional breakage and could probably live with it. I'm just reluctant to use unstable on a production server connected to the internet, because I don't want to leave the server (potentially) vulnerable. If, however, security updates to unstable are reliable enough, I would seriously consider using it (and test upgrades on my laptop first). Would you say unstable is reliable enough to use on a production server that can handle occasional downtime? Without any unnecessary risk of leaving it open to vulnerabilities? - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpJknCWEfWSR.pgp Description: PGP signature
Re: [backports security]
* Andrei Popescu [EMAIL PROTECTED] [2006-06-01 14:47]: It is said that compiling your own kernel with make-kpkg should be pretty easy. It generates a kernel package which you can than install with dpkg -i. Never tried it myself though ... Compiling smaller software is generally just a matter of running make make install. YMMV I know ;-) I've used make-kpkg a lot. I'm not sure whether it's easy to install one of the newer kernels (even a self-compiled one) on sarge though, since it may depend on newer versions of e.g. yaird. You could avoid yaird by compiling everything in. I think the only problem would be udev, but I may be wrong You're probably right ;-) So the question is whether udev is easy to backport to sarge, or whether it will cause problems. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgp8vW3lTJXDr.pgp Description: PGP signature
Re: [backports security]
Felix C. Stegerman wrote: I'm running unstable on my desktop (well, actually a laptop), so I'm accustomed to the occasional breakage and could probably live with it. I'm just reluctant to use unstable on a production server connected to the internet, because I don't want to leave the server (potentially) vulnerable. If, however, security updates to unstable are reliable enough, I would seriously consider using it (and test upgrades on my laptop first). Would you say unstable is reliable enough to use on a production server that can handle occasional downtime? Without any unnecessary risk of leaving it open to vulnerabilities? Personally, I stick to stable servers since I don't have time to babysit them through frequent dist-upgrades. If you need only a few more recent packages, then stable+backports is probably your best bet. If you need lots of new packages, then unstable might work for you. However, you must realize that many (nearly all) Debian developers are volunteers (i.e., their employers do not pay them to work on Debian full time) and so packages can fall behind upstream releases because the maintainer gets busy. For a good example of this, see http://bugs.debian.org/src:cyrus-sasl2 The cyrus-sasl2 package is arguably a very important package. However, it is now something like three or four minor versions behind upstream and has a ton of bugs. That is not a good situation and the maintainer has recently orphaned it. However, there is enough attention from other Debian developers that at least security issues are resolved. I would be careful of using a server running on unstable that uses packages which have been orphaned, as those are generally the least likely to receive attention. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: [backports security]
Felix C. Stegerman wrote: Wouldn't mixing stable and testing be less secure than using backports? Or is security support for testing good enough to rely on for (some packages on) production servers? Supposedly testing gets security updates now. It is in security.debian.org together with stable. It is a relatively recent thing, so the information is a bit patchy and contradictory at times. I would be interested in finding out more. -- George Borisov DXSolutions Ltd signature.asc Description: OpenPGP digital signature
Re: [backports security]
George Borisov wrote: Felix C. Stegerman wrote: Wouldn't mixing stable and testing be less secure than using backports? Or is security support for testing good enough to rely on for (some packages on) production servers? Supposedly testing gets security updates now. It is in security.debian.org together with stable. It is a relatively recent thing, so the information is a bit patchy and contradictory at times. I would be interested in finding out more. That is an indication that we are nearing release in a few months. In particular, I think it is being done earlier for Etch so that the same infrastructre problems that happened right after the Sarge release are not repeated. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: [backports security]
Felix C. Stegerman wrote: Do you know what would be the best way to make sure I don't miss any of those updates? If I backport e.g. mysql from unstable/testing, will I be able to rely on security announcements to debian-security, or do I need to check for new vulnerabilities upstream? Just looking up http://www.de.debian.org/security/faq Security breakage in the stable distribution warrants a package on security.debian.org. Anything else does not. Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, work is in progress to change this, with the formation of a testing security team which has begun work to offer security support for testing, and to some extent, for unstable. If security and reliability are important, I'd stick to stable. Period. YMMV. It's always a difficult decision between 'I'd rather have xxx' and security. If reliability is important, I would rather stick to stable, but YMMV. I'm more concerned about security than reliability. I can handle occasional downtime if something breaks, but I'd rather avoid my system being compromised. I meant to write reliability AND security. About 'occsional downtime': If it's a server that is supposed to be online 12 month per year, you should also consider the implications of a downtime while you are on vacation or have other important things to do ;-) Johannes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[backports security]
Hi, I'm about to install sarge on a (production) server of my own, and would rather like to have the latest versions of: * mysql (5.0) * vim (7.0) * the Linux kernel (2.6.16) [ppc] Since these are not in sarge, I'm considering using backported versions from backports.org. I was however unable to find much information on the effect on security of using backports.org. Since this server will expose several services to the internet (apache, subversion, mysql), I want to make sure that it is, and stays, secure. So these are my questions: * Are you using unofficial repositories (e.g. backports.org) on production servers ? * Do you (and can I) trust backports.org ? * Also, since even backports.org does not seem to have vim 7.0 and kernel 2.6.16 (yet), what would be the best way/place to get these from ? Should I (try to) backport them myself ? Other suggestions remarks are welcome. Thanks. - Felix -- Felix C. Stegerman [EMAIL PROTECTED] http://obfusk.net ~ Any sufficiently advanced bug is indistinguishable from a feature. ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et: pgpXnwhH2DusW.pgp Description: PGP signature