On 2008-04-15 01:47 +0200, Douglas A. Tutty wrote: > On Mon, Apr 14, 2008 at 08:20:00PM +0200, David wrote: > >> comix - The version in Testing had security problems, so it was >> removed automatically (however, the insecure version stayed in >> Unstable). Almost a month later a fixed version was uploaded to stable >> and 10 days later it moved to Testing. > > Everyone who thinks of using Sid needs to read and understand this > paragraph. "However, the insecure version stayed in Unstable". Just > because Sid includes the latest doesn't mean its the greatest. I don't > think that, e.g. aptitude pops up a warning "WARNING: you are trying to > install an insecure version of comix".
It is true that sid users should generally check out for grave bugs and security issues of packages they want to install, but the same holds for testing. After all, buggy packages will not be removed quickly and an update will first be available in unstable before it migrates to testing. > At least if you run testing, if something proves insecure it will > be either fixed in unstable and migrate after 10 days, or (I think) > will be removed from testing. If the maintainer acts correctly and uploads the package with urgency=high, it can migrate after only two days. However, that's often not possible, because the package must also have been built on all 11 release architectures and its dependencies have to be fulfilled in testing. For packages with many dependencies this does not seldom take months. The testing-security support we now enjoy has mitigated the situation somewhat, but testing is still the worst Debian branch security-wise. As for the removals: packages with many reverse dependencies or packages that are very popular among users never get removed from testing, as far as I can see. Otherwise the Mozilla packages would be out of testing most of the time. :-/ > It is often said that our testing branch > is like other distro's stable or release branch. This may be true, but > Unstable (Sid) is unstable and at any given time may have serious > security issues. Beware. Security is really the least thing you have to worry about if you use sid. The problems are elsewhere: packages may not be installable due to missing dependencies (never happens in stable or testing), installation fails (most common reason is that the package contains files that are also in another package - never happens in stable and very rarely in testing) or a package may not work at all for one or the other reason. These are the real problems when you use sid, not security. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
