> Andrew Suffield wrote: > Installing unstable packages is in no sense a solution, for > people doing serious security setups.
What should be realised of course, is that Apache recommended moving to 1.3.19 and quite some time ago 1.3.23 - so while you might consider the packaging to be unstable, the product is not. PHP are supplying patches, but recommend an upgrade to 4.1.2 So we have a conflict - the people who write Apache and PHP are recommending for production, versions that Debian has in unstable [with PHP a brand new version that has not yet reached unstable] I think this points to the major thing wrong with Debian. It is a fabulous, but very hard goal to create a completely stable distribution including thousands of packages for lots of platforms. The result of following this goal is that Debian is dropping further and further behind the current upstream production versions - even for not-very-often used products like Apache and PHP4 8-) I don't really understand why other dists are able to package up the upstream recommended versions, but Debian cannot? Would it be possible to create a separate archive of upstream recommended production versions of core things like: Apache, Perl, SSL, MySQL? I would guess that keeping a much smaller set of core applications and libraries consistent would be easier? Sigh - still no solution to the PHP hole... ATM the best bet seems to be a) building our own PHP4.1.2 b) waiting for the package maintainer. I do note that the PHP4 package maintainer is rather active, so I am holding out for B) atm. Have installed and tested Apache 1.3.23 which seems fine so far... Jeff