* martin f. krafft: >> One day more or less doesn't really matter. So far, Debian security >> updates predated widespread (semi-)automated exploits by weeks. > > Why then do you think security.d.o is not mirrored by Debian?
Our mirror network is not actually well-known for its integrity (think paris.avi). By default, package authenticity is not validated in sarge and earlier releases. From a security POV, it's better to download those updates from a limited set of well-maintained servers. It reduces the attack surface somewhat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
