On 8/23/05, Kent West <[EMAIL PROTECTED]> wrote: > Bryan Donlan wrote: > > >On 8/23/05, Kent West <[EMAIL PROTECTED]> wrote: > > > > > >>It's my understanding that because of their high-priority nature, > >>security updates go into Stable even before they sometimes make it into > >>Testing (or perhaps, Unstable?). So a Testing system with the stable > >>security line is more likely to get patched more quickly than waiting > >>for the normal influx of packages into Testing. > >> > >>My understanding may very well be amiss, however. > >> > >> > > > >No. > > > "No" to "...my understanding..." or "No" to "My understanding may very > well be amiss..."? > > > Say that stable has foobar version 1.0.4-1, and testing has foobar 1.0.5-1. > > > >Now there's a security fix. Stable-security gets 1.0.4-1sarge1 or > >similar, unstable gets 1.0.5-2. However, testing still has 1.0.5-1, > >which is newer than 1.0.4-1sarge1. It will be at least two days until > >the unstable fix gets into testing. > > > > > Say that stable has foobar version 1.0.4-1, and testing also still has > foobar 1.0.4-1. > > Now there's a security fix. Stable-security gets 1.0.4-1sarge1 or > similar, unstable gets 1.0.5-0. Testing still has 1.0.4-1, which is > older than 1.0.4-1sarge1. It will be at least two days until the > unstable fix gets into testing. > > In your case, if the 1.0.5-1 version in Testing does not have the > security issue (which is doubtful), all is fine for those two days. I'm > unclear if you're saying you've got two days of vulnerability, or if > you're saying that Testing's newer version than Stable-security's > mitigates those two days of vulnerability.
Testing's newer version means the security fix is considered an older version, so it won't auto-upgrade. If the version in testing is vulnerable, you either have to manually downgrade to stable-security, or manually upgrade to unstable. > I don't think leaving the Security line at stable hurts anything, and I > think it makes sense to leave it there. It doesn't hurt anything, no, but it won't help in many cases, except perhaps at the start of a release cycle.