Lenny vs. Etch + Backports
Hi, After returning to Linux last year as my main desktop OS, I've been wanting to migrate to Debian. However, put off by the prospect of having to use backported security fixes on officially retired development branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far rather be using either Testing or Backports. Given that in any case Backports.org currently only seems to draw on Lenny, and that these days, security vulnerabilities fixed in Sid are swiftly brought over into Testing, what are the specific advantages of using Etch + Backports? Regards, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Lenny vs. Etch + Backports
On Thu, Sep 27, 2007 at 02:37:03PM +0100, Michael C wrote: > Hi, > > After returning to Linux last year as my main desktop OS, I've been wanting > to migrate to Debian. However, put off by the prospect of having to use > backported security fixes on officially retired development branches such > as Thunderbird/Icedove 1.5 (for up to two years!), I'd far rather be using > either Testing or Backports. > > Given that in any case Backports.org currently only seems to draw on Lenny, > and that these days, security vulnerabilities fixed in Sid are swiftly > brought over into Testing, what are the specific advantages of using Etch + > Backports? Take this with a grain of salt as I'm a sid user, but I think as long as all the new software you need is Icedove, stable+backports should be better. If you find you are installing a significant amount of software from backports (or just don't find what you need) maybe you should consider testing, but don't expect everything to Just Work (TM). Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Lenny vs. Etch + Backports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael C wrote: > Hi, > > After returning to Linux last year as my main desktop OS, I've been > wanting to migrate to Debian. However, put off by the prospect of having > to use backported security fixes on officially retired development > branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far > rather be using either Testing or Backports. > > Given that in any case Backports.org currently only seems to draw on > Lenny, and that these days, security vulnerabilities fixed in Sid are > swiftly brought over into Testing, what are the specific advantages of > using Etch + Backports? I am not sure if I understand correctly: What are your objections against debian's way of security fixes? The advantage of etch is that it is 'stable'. If you want/need more recent software and like to discover bugs and help to get them sorted out, you could use 'testing' or unstable. Those also require more upgrading and more work on your part. The advantage of backports.org is that it provides more recent versions of some software packages. If you want a 'stable' system, but require a more recent version of one or a few packages take them from backports. If icedove and firefox/iceweasel are your only concern, I would stick to stable (+ backports, but only if that it is really important to you). HTH, Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG+/QNC1NzPRl9qEURArlaAJ4g9m0lsk5HY1AC30JyNBt+0rK3aQCaA86n hCHWIzRuX1o3F908J7ew4tE= =8xYa -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Lenny vs. Etch + Backports
Johannes Wiedersich wrote: I am not sure if I understand correctly: What are your objections against debian's way of security fixes? Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May, the 1.0.x branch's security status is no longer being actively investigated by upstream developers, but assuming that Lenny takes as long to come to fruition as Etch, come Debian's next major release its developers -- with fewer resources than upstream, I should imagine -- will have been searching out and patching vulnerabilities in an abandoned codebase for more than 20 months. I've no doubt that the resulting code's more stable than upstream's, it's just that I'd rather place my trust in the upstream codebase (or Debian patches based thereon). Not a very original objection, but a reasonable-sounding pretext for moving away from Stable ;) Best wishes, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Lenny vs. Etch + Backports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael C wrote: > Johannes Wiedersich wrote: > >> I am not sure if I understand correctly: What are your objections >> against debian's way of security fixes? > > Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May, > the 1.0.x branch's security status is no longer being actively > investigated by upstream developers, but assuming that Lenny takes as > long to come to fruition as Etch, come Debian's next major release its > developers -- with fewer resources than upstream, I should imagine -- > will have been searching out and patching vulnerabilities in an > abandoned codebase for more than 20 months. > > I've no doubt that the resulting code's more stable than upstream's, > it's just that I'd rather place my trust in the upstream codebase (or > Debian patches based thereon). > > Not a very original objection, but a reasonable-sounding pretext for > moving away from Stable ;) [I'm not a security expert and I don't follow this in every detail, so take my statements carefully and with a grain of salt. ] I personally view it this way: - - upstream replace each mozilla-* version with a new version. This means that at the same time a security issue is fixed, a new one may arise due to new features etc. - - for each security issue discovered, debian carefully checks whether it affects the version in stable. If so, the issue gets fixed and it is rather unlikely that 'new' security holes are introduced this way. I can't ultimately tell by hard facts, which approach is more secure, but my experience with debian's approach has been good. You could also run stable etch and install firefox et al. from mozilla's website... I think that even includes an automatic update feature. (Have never tried this myself, though.) YMMV, HTH, best wishes! Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/Kn8C1NzPRl9qEURAsPwAJ9EjE8jEQKPyk5m32DVLszV/pY0YgCeORqr HELajNPo4KZdXug5xmPK/wk= =aFuv -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
