On Thu, 2004-05-13 at 03:17, Sascha Beaumont wrote: > Watch it time out connecting to security.debian.org.. (Limited internet > access at the moment remember) twice... three times. And its trying to > grab stable, I'm using unstable. Shouldn't all security updates make it > to unstable anyway?
Nope - the security team only work on packages in stable. They avoid the high-churn of testing ans unstable. Sometimes the fix is in the unstable version, and the stable fix follows. Other times, there is only a vulnerability announce and the fix goes into stable, and is sent back to the program authors. I've noticed by following BugTraq that Debian are generally the first distro to announce fixed packages, usually by at least 24 hours. And I get the debian-security-announce messages about 12 hours before they are posted to BugTraq too ... This is a damn good reason for servers to live exclusively in 'stable', even to the extent of refusing recent packages. I do have a wrestle with my consience every time I want something that isn't in the stable tree, however. Occasionally I pluck it from backports.org, but I know that they don't have the quality of response to security issues that Debian themselves have ... [Some may remember my comments from a few months back about trusting the distro maintainers. Since then I've been managing about a dozen Debian boxen, and had absolutely no problem keeping up with everything. Except kernel upgrades, which were done very very carefully on remote machines. I'm confident with the Debian stable worldview.] > Software selection method, tasksel, aptitude, dselect or nothing. I > choose nothing. (We'll deal with this below, most people should just use > tasksel) For servers, use nothing at all. Then install less, (vim|emacs), sudo, screen, lsof and collect the fingerprint of your server ssh keys :-) > Login.... dammmit I want british english spelling, but US keyboard > layout. How on earth did this happen. My Shift-3 gives me a pound sign! This always winds me up ... and further confusion is caused by the fact that Americans describe the octothorpe # as a "pound" sign, whereas Brits call it a "hash mark", and reserve the word "pound" for the sterling currency symbol ... -jim
