Re: Debian Security Support in Place
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Petter Reinholdtsen schrieb: [Martin Wodrich] IIRC security-support for sarge started befor its release. But only one month before the release. That depends on your definition of support. Ok, thats true. I mean the posibility of security updates. The testing security team was working hard to secure it a long time before sarge was released. Ok, thats fine. - -- Mit freundlichen Grüssen, Martin Wodrich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC0MyqfymBmdFa7LcRAvP4AKCohuMfr2CN7Ia8ZSrH3L4rjCAjmACgj3Pj LuOo0Unc5HTtnStN0DS3T+k= =1+A8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
also sprach Sven 'Rae the Git' Grounsell [EMAIL PROTECTED] [2005.07.09.1851 +0200]: Also, you are IMHO ignoring, that Debian is one of the _very_ few distros, that provides _seamless_ upgrades between even major releases. No matter how seamless, dist-upgrades require a lot of time for testing afterwards. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Debian Security Support in Place
The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. This is equivalent to saying We will rip security support for oldstable from under your feet at any time just as we please. This is not acceptable in a production environment. May 2006 is less than a full year anyhow, which is very short for a production environment. I have several machine I cannot update before January 2006 because I have a contract that keeps me busy fulltime for a different customer. That contract may be prolonged. Incidentally, that customer is using SLES 8 (SuSE Linux Enterprise Server) and has no capacity to upgrade to SLES 9 for at least a year. With SLES 8, this is not a problem because of the long suppprt timeframe. Which is exactly the reason they go with SLES rather than the regular SuSE releases. So in essence the announcement says screw you, commercial customers. Please don't do that. It makes promoting Debian awkward. Thank you for your attention, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
also sprach Lupe Christoph [EMAIL PROTECTED] [2005.07.09.1022 +0200]: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. This is equivalent to saying We will rip security support for oldstable from under your feet at any time just as we please. No, it's not. It's worded a little awkwardly, but herewith you get my promise that etch will not happen first. So May 2006 it is. You are welcome to get those companies to come up with funding to allow us to pay 1-2 people taking care of sarge after May 2006. And if that is unacceptable to you: Ubuntu has announced a 5 year support plan for server systems: http://www.ubuntulinux.org/UbuntuFoundation -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! it is easier to be a lover than a husband for the simple reason that it is more difficult to be witty every day than to say pretty things from time to time. -- honoré de balzac signature.asc Description: Digital signature
Re: Debian Security Support in Place
(open letter to the debian security team) Greetings,.. on friday, 8th july 2005 07:58 Martin Schulze wrote: [...] The Debian project confirms that the security infrastructure for both the current release Debian GNU/Linux 3.1 (alias sarge) and the former release 3.0 (alias woody) is working again. The security team is now able to provide updates on a regular basis again. [...] There were several issues with the security infrastructure after the release of sarge, that lead to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again. Nice to hear, thanks to all. You obviously spent a lot of time and efforts in restoring debian security. Thanks. But maybe, some rather constructive critism is required as well- and ehm, well, to be honest, imho this is not satisfying: It has never been official announced, that the security infrastructure is not working. It is quite confusing, that you report the end of problems you haven't reported at first, furthermore if the end of this problem justifies an official debian announce, the beginning of this problem should have been announced to. Knowing a security problem is imho probably more important than knowing not having a problem, because, a security problem requires defensive actions. Another point is the explanation. several issues with the security infrastructure can probably mean anything. From failing power supplying units up to conflicts within the security team. By that the explanation is not satisfying, too. There has been a few rumours in joey's blog, but anyway, I'm missing official statements / announces, why this had happend (technically and non-technically) how it was solved, and how it is prevent in the future - and I guess, others are missing 'em as well. Looking back to the break-in 2003, this issue was handled very good and transparent. Imho this was a good example how things can be handled - thus going on that way ought to be quite better. Thanks for your patience, Keep smiling yanosz
Re: Debian Security Support in Place
On Saturday, 2005-07-09 at 10:37:27 +0200, martin f krafft wrote: also sprach Lupe Christoph [EMAIL PROTECTED] [2005.07.09.1022 +0200]: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. This is equivalent to saying We will rip security support for oldstable from under your feet at any time just as we please. No, it's not. It's worded a little awkwardly, but herewith you get my promise that etch will not happen first. So May 2006 it is. You are welcome to get those companies to come up with funding to allow us to pay 1-2 people taking care of sarge after May 2006. If I can get the customer who owns the Woody system to fund *me* for upgrading them, I'll be glad... And if that is unacceptable to you: Ubuntu has announced a 5 year support plan for server systems: http://www.ubuntulinux.org/UbuntuFoundation Let's not discuss Ubuntu here, so I just say I'm running a Debian Testing system, and that is running quite nicely without any Testing will be broken for the next few months. Having Unstable and Experimental is a Very Good Thing. I set up two servers with Testing even though I could not be sure when fixes for security holes would come up. These have now migrated to Stable because I used sarge rather than testing in /etc/apt/sources.list. And the are updated when an applicable DSA comes out. I'm very fond of the way Debian releasing works. Even when it works slowly like with Sarge. The Woody machines would not be running Debian if the project was negligent in keeping Debian up to date. They needed backports to be kept resasonably up to date, but even that speaks for Debian. Backports are amazingly easy to do most of the time. When the problems of the security team came to light, I was quite astonished and I'm glad they have been resolved so fast. We couldn't do without Joey, but that doesn't mean he should carry all the weight. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
On Sat, Jul 09, 2005 at 10:22:29AM +0200, Lupe Christoph wrote: So in essence the announcement says screw you, commercial customers. Please don't do that. It makes promoting Debian awkward. are you aware that we are talking about *oldstable* here? it was released july 2002, i think if it is supported until may 2006(one year after it got replaced with a new stable version) that's quite a long timeframe and a very good reason for promoting debian! cu robert -- Robert Lemmen http://www.semistable.com signature.asc Description: Digital signature
Re: Debian Security Support in Place
Robert Lemmen [EMAIL PROTECTED] wrote: On Sat, Jul 09, 2005 at 10:22:29AM +0200, Lupe Christoph wrote: So in essence the announcement says screw you, commercial customers. Please don't do that. It makes promoting Debian awkward. are you aware that we are talking about *oldstable* here? it was released july 2002, i think if it is supported until may 2006(one year after it got replaced with a new stable version) that's quite a long timeframe and a very good reason for promoting debian! Also, you are IMHO ignoring, that Debian is one of the _very_ few distros, that provides _seamless_ upgrades between even major releases. The only other distro, which comes close to the debian-way of upgrading is afaik Gentoo (which is no alternative for productive server-systems for obvious reasons). On my behalf, i used to install a base-system with a woody-netinstall-image to setup a sarge-system for customers, who wanted a more up2date system - this never made any problems worth speaking of. And THIS is a very strong pro Debian argument - you don't need to re-setup your server every so-often (like you would have to do with, say, SuSE), but you can, if you wish, even slowly migrate your server, service by service to more recent versions/releases and deal with probable changes in configuration or handling one by one and don't have to do the whole lot at once. Regards, Sven -- http://www.tuxhilfe.de/ - Linux Hilfe und Support Forum http://www.best-of-us.de/ - Bekanntschaften und Freunde finden/treffen sven at tuxhilfe dot de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
[Martin Wodrich] IIRC security-support for sarge started befor its release. But only one month before the release. That depends on your definition of support. The testing security team was working hard to secure it a long time before sarge was released. URL:http://secure-testing.alioth.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
[Sven 'Rae the Git' Grounsell] Also, you are IMHO ignoring, that Debian is one of the _very_ few distros, that provides _seamless_ upgrades between even major releases. This is a slight exaggeration, as this do not really work very seamlessly for packages where the configuration was changed. I get a lot of conffile questions during upgrades when trying to upgrade my woody servers to sarge, and I would not call that seamless. And for desktops, I ran into several problems with the package selection when upgrading. apt-get and aptitude wanted to remove several of the packages instead instead of upgrading them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
On Fri, Jul 08, 2005 at 09:33:29AM -0400, Phillip Hofmeister wrote: On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. IIRC security-support for sarge started befor its release. Horst. -- For I perceive that behind this seemingly unrelated sequence of events, there lurks a singular, sinister attitude of mind. Whose? MINE! HA-HA! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phillip Hofmeister schrieb: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. But in the past there where some Debian Release with lesser than one year from one to the other. In Wikipedia there is a good table: Debian Linux (Stable releases) Version NameDatum 0.93R6 - 26. Oktober 1995 1.1 Buzz17. Juni 1996 1.2 Rex 12. Dezember 1996 1.3 Bo 5. Juni 1997 2.0 Hamm24. Juli 1998 2.1 Slink 9. März 1999 2.2 Potato 15. August 2000 3.0 Woody 19. Juli 2002 3.1 Sarge 6. Juni 2005 ? Etch- 0.93R6 - 1.1 : 8 month 1.1 - 1.2: 6 month 1.2 - 1.3: 6 month 1.3 - 2.0: 13 month 2.0 - 2.1: 7 month 2.1 - 2.2: 17 month 2.2 - 3.0: 2 years 3.0 - 3.1: 3 years - -- Mit freundlichen Grüssen, Martin Wodrich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCzppXfymBmdFa7LcRAqZqAKC7LCrVG74wbvr0ne9H6UV56St25QCfa2i6 7LOQOwLTSqaRyiqLy+Wq0oU= =riCT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Horst Pflugstaedt schrieb: Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. IIRC security-support for sarge started befor its release. But only one month before the release. - -- Mit freundlichen Grüssen, Martin Wodrich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCzqFxfymBmdFa7LcRAkv9AKDQeM6V+b+K74DFg/h5WPwGrA1BFwCcCWjF f4gHwuf+6+WC16jO+zLuDEw= =EfZC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]