[sorry for replying to this very late, but I thought it relevant...] Op zaterdag 10 mei 2014 00:15:02 schreef Stuart Prescott: > == sources.list > > Many users of stable releases don't have security.debian.org in the > sources.list. I can only wildly speculate as to how this happens... if the > installer doesn't find a network connection at install time it leaves a > pretty weird looking sources.list and we know lots of people manage to not > fix properly. The sources.list that the installer leaves in this case is > certainly sub-optimal. > > Why do we have a separate archive for security at all? "Separate teams" and > "hysterical raisins" are possible reasons. Not waiting for a mirror pulse to > push out updates is another. Is there any technical reason right now to not > copy security updates into the stable release at the next dinstall run > rather than waiting a few months for a point release? What would be > required to merge these and simplify life for our users?
There are sometimes good reasons not to install security updates immediately: - Not all security updates are as critical as the heartbleed bug, and while the security team has a good track record, it is not 100% perfect in the area of "no regressions". In large environments, system administrators may want to evaluate non-critical security updates before applying them "immediately". - In some environments, "reproducability of an installation" is much more important than "security" (e.g., because the system is used as a monitoring system in a controlled environment that is not connected to the Internet, where unexpected functionality changes could be life-threatening for the people using the system). In that area, the ability to point to a point release and say "install this", without having to qualify things about security releases, is a feature. While I agree that disabling security updates should be almost impossible for novice users, I don't think merging the two repositories is a good idea. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
