I stutter: > > It is my subjective experience that the security team is actually > > pretty good about updating testing. For example the postgresql update > > applied to both testing & stable.
Steve Langaek (post modern programer) writes: > This would be very subjective indeed, because the > security team does nothing to directly address > security holes in testing. If I were a diligent person, I'd look at this a bit more carefully (does apt-get log???) , but here are a few random data points to muddy the waters. My various /etc/apt/sources.list files contain: deb http://security.debian.org/ sarge/updates main contrib non-free ...and when I get a notice from the security list: http://lists.debian.org/debian-security-announce/ the mentioned package is (always?) updated w/ a apt-get update/upgrade It doesn't matter (much) to me if the package maintainer updates the package or the security team. (However, I do seem to seem "security.debian.org" flashing across the screen when I am updating packages) >From the security announcement list (which everyone should subscribe to): [snip] Package : gallery Vulnerability : unauthenticated access Problem-Type : remote Debian-specific: no [snip] For the current stable distribution (woody), these problems have been fixed in version 1.2.5-8woody2. For the ****unstable**** distribution (sid), these problems have been fixed in version 1.4.3-pl2-1.