On 01/06/2013 09:08 PM, Adam Borowski wrote: > > It shouldn't not be some private repository in a dark corner of teh > interwebs, it must be an official thing with a mandatory apt line during > the installation.
I agree that would be the best thing to do, however it doesn't seem like it's going to happen right now. My point is to create a temporary repository to see if it's doable. Eg: does it get enough traction so that DDs upload security fixes. Also, that's unfortunately the only thing I can setup by myself, without the help of some DSA people. We can move to something more official later on. But I'll start doing something only if I get at least few positive reply to this thread, which I haven't yet... I don't intend to do that all by myself. > Too many people I otherwise respect use lenny (or etch!) on production > network-facing servers, no matter how often I scream at them. And if > they'll get rooted, there'll be stink about Debian's lack of security. > > The upgrade window is only 12 months, that's ridiculously short in many > environments (corporate with its inertia, small setups where admins are > starved for tuits). Exactly ! >> It's probable that others will want to updates for apache, postfix, and >> stuff like that as well. > Ie, anything that is likely to be vulnerable remotely. And also, anything that is likely to be a critical piece of software. Like, for example I wouldn't really care about game servers... > Thus, I propose: > what about adding such an empty repository to wheezy's apt sources NOW? In > a few years, when wheezy becomes retired oldstable, there will be time to > decide whether to use that repository or not. Or alternatively, you could > revive lenny-security -- this has the upside of not adding new entities, and > a downside of announcements being not as loud as a 404. Let's be realistic: this wont happen unless some key DDs reply positively to this thread (DSA, FTP-Masters, security team, etc.). Also, when the old-stable becomes obsolete, it goes to archive.debian.org. So you do get a 404 anyway. I don't see adding a new repository as a problem. It also forces users to know what they are doing. We can also choose a repository name explicitly expressing the fact it's not a full support like it used to be with old-stable. Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50e980a4.8050...@debian.org