Re: New user Q: Best way to stay up to date on "testing"?
Jacob S wrote: On Fri, 8 Oct 2004 23:13:15 +0200 "Dan Roozemond" <[EMAIL PROTECTED]> wrote: While we're at it - suppose someone is the only administrator of a debian(stable) system connected to the internet permanently, with SSH, Postfix and Bind exposed to the 'big bad' world. Say that someone is lucky enough to take a vacation, and is not able to connect to the machine for two weeks. How dangerous is it to have 'apt-get update; apt-get upgrade' ran automatically every day? No, this scenario is not entirely hypothetically ;) Well, let's just say that I wouldn't do it unless I were going to be looking for a new job while enjoying that 2 weeks of vacation. :-) With Stable it should be rare for it to be a problem, for Sarge it shouldn't be a problem very often, but there is still a chance for problems in there somewhere. That's how it should be. However, IIRC, all (most?) security bugs in packages like ssh, bind, etc, were present both in testing and in stable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
On Sat, 9 Oct 2004 03:38:18 -0400, Kevin Mark <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Fri, Oct 08, 2004 at 04:05:31PM -0500, Jacob S wrote: > > On Fri, 8 Oct 2004 15:18:02 -0500 > > JW <[EMAIL PROTECTED]> wrote: > > > > > > > > > I was reading the security FAQ and am somewhat alarmed to find (if I > > > understand correctly) that Testing is not actively supported by the > > > security team. Youch. If I could put stable on it I would, but for the > > > reasons stated above I can't. > > > > 'Testing' is not actively supported, correct until you near release > > time. Sarge has entered a freeze for the base packages, is in that 'near > > release time' phase and is now getting security updates along with the > > current 'Stable' (Woody). Sarge is expected to be released as the new > > stable 'any day now'. > > > > > Hi Folks, > I can echo what Jacob said. there is only one release of debian: stable. > testing is not a distrabusion--its just for folks testing stuff that at > some point will go into stable. things can pop-in and pop-out > unextectedly like all of kde. unstable is a pseudo-distro where you just > get an influx of the latest packages. Things go reasonable smoothly in unstable but > there are times when a few packages get broken and you may need to > backtrack something or WAIT until folks say its OK to upgrade. > > But there is something to note: testing goes through stages. After a > release testing is the same as the new stable. After a few months > testing is then all mixed up with all new stuff. Then as things get more > tested, testing become 'near' stable. Which is how it is now. At this > point Debian starts to add security updates for testing/the next stable. > This is sometimes called the 'frozen' release. And after some release > critical issues: stable is born. > > also there are two ways to track debian: via release names(sarge) or via > distributions(testing). I think by now it is time to switch from testing to sarge in your /etc/apt/sources.list. This will easily let you settle on the future stable release without having to worry that at some point in time everything will get switch from unstable->testing and testing->stable. The codenames (potato, woody, sarge, etc.) provide a much more stable migration path IMHO, because sarge will always be sarge, even though it is now testing and will be stable soon. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Oct 08, 2004 at 04:05:31PM -0500, Jacob S wrote: > On Fri, 8 Oct 2004 15:18:02 -0500 > JW <[EMAIL PROTECTED]> wrote: > > > > > I was reading the security FAQ and am somewhat alarmed to find (if I > > understand correctly) that Testing is not actively supported by the > > security team. Youch. If I could put stable on it I would, but for the > > reasons stated above I can't. > > 'Testing' is not actively supported, correct until you near release > time. Sarge has entered a freeze for the base packages, is in that 'near > release time' phase and is now getting security updates along with the > current 'Stable' (Woody). Sarge is expected to be released as the new > stable 'any day now'. > > Hi Folks, I can echo what Jacob said. there is only one release of debian: stable. testing is not a distrabusion--its just for folks testing stuff that at some point will go into stable. things can pop-in and pop-out unextectedly like all of kde. unstable is a pseudo-distro where you just get an influx of the latest packages. Things go reasonable smoothly in unstable but there are times when a few packages get broken and you may need to backtrack something or WAIT until folks say its OK to upgrade. But there is something to note: testing goes through stages. After a release testing is the same as the new stable. After a few months testing is then all mixed up with all new stuff. Then as things get more tested, testing become 'near' stable. Which is how it is now. At this point Debian starts to add security updates for testing/the next stable. This is sometimes called the 'frozen' release. And after some release critical issues: stable is born. also there are two ways to track debian: via release names(sarge) or via distributions(testing). - -kev - -- (__) (oo) /--\/ / ||| * /\---/\ ~~ ~~ "Have you mooed today?"... -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBZ5VqAWAAuqdWA9cRAu1nAKCEUI0+Jo4OkqEP7kPB9wJ5HlUzrgCfeKrB 0DfWPe8RNWtbXyuw1zjFF6g= =NcJ3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
On Friday 08 October 2004 21:18, JW wrote: > Hello, > > Sorry to bother everyone with newbie questions, but I'm struggling to > understand the entire Debian environment and need a little advise. > > I have been using SuSE for a long time but recently my job has required me > to start administrating a Debian server that was set up with > 3.1/Sarge/Testing by the co (server is actually in another state, so I'm > stuck with what the co-lo put on it. I like Debian and I'm sure with time > I'll figure it all out, but in the short run I need a little help. The real big thing about debian is the way all the package dependencies just work properly. Update regularly or infrequently and I have almost never had a problem. (There we some glitches in the early days of testing) > > We are planning on keeping the server for quite a long time, it will be > used for part of a billing system (perl/web based). > > I was reading the security FAQ and am somewhat alarmed to find (if I > understand correctly) that Testing is not actively supported by the > security team. Youch. If I could put stable on it I would, but for the > reasons stated above I can't. What have you got in your /etc/apt/sources.list. If you reference "sarge" then once that (shortly) becomes stable you will stick with it. Whilst it is still in the testing stage getting ready for stable the security updates will come through the normal update route. The stable team will concentrate when it hits stable. But it doesn't harm to have a line in your sources.list for a security source. Heres mine for a server based on sarge. deb ftp://debian.blueyonder.co.uk/pub/debian/ sarge main non-free contrib deb http://ftp.uk.debian.org/debian sarge main contrib non-free deb http://security.debian.org/ sarge/updates main contrib non-free > > It seems to me that the best thing for me to do is keep all the installed > software up to date. For one thing, new packages are more likely to contain > security fixes (even if they aren't official security patches), and also, > I'm hoping that some day in the future Sage will be declared stable and > I'll be able to hop on the security train. > > I am wondering what the best way is to go about staying up to date. If I > run apt-get -s upgrade I'm told that apt wants to upgrade about 15 > packages, most of which seem to be related to X (we won't ever be using X > on this server. it wasn't originally installed and I"d like to get rid of > it but some other package I installed had a dependancy on some gtk thing > that had one on X. Oh well). I would do it manually once a week. I ssh (from either a linux machine or from a windows machine running putty) into the machine I refer to above and run aptitude. This gives a good visual indication before it does anything so you can check that there are no major upsets (like trying to remove everything). Also, with aptitude its easy to locate a package and then drill down through its dependencies to see why things are installed. > > Could anyone confirm that "upgrade" is the right way to stay up to date. > I'm not going to run it automatically, and I'll always do a test run first > to make sure nothing disastrous is going to happen. See above - use aptitude. > > Is running upgrade on a regular basis a bad idea for any reason? No - in fact at the moment the opposite. But as it gets more stable the number of updates it tries to do each time you do the update will become less and less. > > It just seems like I'll need to be as up to date as possible when Sarge is > declared stable in order to make a smooth transition to Sarge/Stable. > Correct me if I'm wrong. I've always found it better to update packages a > little at a time rather than wait till there's dozens of updates to > install. You don't really make "the transition" in debian. With what you have in your sources.list as described above it should be a smooth flow. Even with a major upgrade its not normally a big problem. On other machines, I have installed either woody or sarge and then changed sources.list to point to unstabled and then upgraded immediately and generally flawlessly. > > If anyone has advise on how to keep a Testing system secure, I'd really > like to hear it. Put the security line in sources.list. Run a firewall (iptables is fine) to block all but only the ports that you __need__ open. Only install the packages (server) that your really need to have. -- Alan Chandler [EMAIL PROTECTED] First they ignore you, then they laugh at you, then they fight you, then you win. --Gandhi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
On Fri, 8 Oct 2004 23:13:15 +0200 "Dan Roozemond" <[EMAIL PROTECTED]> wrote: > > > The only thing that might cause a problem would be if it > > updates a large > > package (say Apache or Perl) and has a small configuration bug that > > makes you run around and pull your hair out trying to figure > > out what's > > changed and how to fix it. This is when reading the Debian-user list > > regularly is very helpful. However, Sarge is getting close enough to > > release that I haven't noticed anything major like that in the five > > or several months that I've been using it. > > > > While we're at it - suppose someone is the only administrator of a > debian(stable) system connected to the internet permanently, with SSH, > Postfix and Bind exposed to the 'big bad' world. Say that someone is > lucky enough to take a vacation, and is not able to connect to the > machine for two weeks. How dangerous is it to have 'apt-get update; > apt-get upgrade' ran automatically every day? > > No, this scenario is not entirely hypothetically ;) Well, let's just say that I wouldn't do it unless I were going to be looking for a new job while enjoying that 2 weeks of vacation. :-) With Stable it should be rare for it to be a problem, for Sarge it shouldn't be a problem very often, but there is still a chance for problems in there somewhere. On the upside, I don't have any example scenarios for Debian that I can pull out of my hat, but just the same... :-) (I'm sure some of the guys that have been using Debian since version 1.0 and before will have some good stories though.) HTH, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: New user Q: Best way to stay up to date on "testing"?
> The only thing that might cause a problem would be if it > updates a large > package (say Apache or Perl) and has a small configuration bug that > makes you run around and pull your hair out trying to figure > out what's > changed and how to fix it. This is when reading the Debian-user list > regularly is very helpful. However, Sarge is getting close enough to > release that I haven't noticed anything major like that in the five or > several months that I've been using it. > While we're at it - suppose someone is the only administrator of a debian (stable) system connected to the internet permanently, with SSH, Postfix and Bind exposed to the 'big bad' world. Say that someone is lucky enough to take a vacation, and is not able to connect to the machine for two weeks. How dangerous is it to have 'apt-get update; apt-get upgrade' ran automatically every day? No, this scenario is not entirely hypothetically ;) Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
DR >> If anyone has advise on how to keep a Testing system secure, DR >> I'd really like to hear it. DR > DR >If security is really an issue to you: lots of websites exist on how to make DR >a linux system secure, involving very strict SSH settings, firewalls, etc. DR > DR >For the average user (such as myself) though, I think it should be enough to DR >update your programs (packages) regularly, in order to not be harmed by DR >script kiddies exploiting recent security leaks. Thanks for the advise. Just to clarify: When I wrote that I was specifically thinking of the fact that the security team doesn't put out updates for stable -- I didn't mean securing as in settings and configuration. My fault, I wasn't clear. So what I meant was, what method do people using Testing use to stay up to date when a security patch is released for Stable and not for Testing. Reading some old Debian Sec Advisories makes me think that updates really are released with some regularity for Testing. But the official Security FAQ says that the Security Team does not really stay on top of making sure patches are available for "Testing". Thanks again. -- Jonathan Wilson Cedar Creek Software http://www.cedarcreeksoftware.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
On Fri, 8 Oct 2004 15:18:02 -0500 JW <[EMAIL PROTECTED]> wrote: > I was reading the security FAQ and am somewhat alarmed to find (if I > understand correctly) that Testing is not actively supported by the > security team. Youch. If I could put stable on it I would, but for the > reasons stated above I can't. 'Testing' is not actively supported, correct until you near release time. Sarge has entered a freeze for the base packages, is in that 'near release time' phase and is now getting security updates along with the current 'Stable' (Woody). Sarge is expected to be released as the new stable 'any day now'. > Could anyone confirm that "upgrade" is the right way to stay up to > date. I'm not going to run it automatically, and I'll always do a test > run first to make sure nothing disastrous is going to happen. Yes, 'apt-get update' and 'apt-get upgrade' is the best way to keep up to date on security updates. If you install any packages outside of apt/dpkg and friends though, you will need to maintain them the same way you install them (obviously). > Is running upgrade on a regular basis a bad idea for any reason? The only thing that might cause a problem would be if it updates a large package (say Apache or Perl) and has a small configuration bug that makes you run around and pull your hair out trying to figure out what's changed and how to fix it. This is when reading the Debian-user list regularly is very helpful. However, Sarge is getting close enough to release that I haven't noticed anything major like that in the five or several months that I've been using it. > If anyone has advise on how to keep a Testing system secure, I'd > really like to hear it. First and foremsost, use a firewall and don't install software that you won't use. Extra and unneeded software can = extra security holes. Then there are additional tools like snort, tripwire, aide, etc. (apt-cache show 'packagename' will tell you more about it, apt-cache search 'keyword' will show you packages that meet that search criteria.) > P.S. If anyone has a link to some favorite documentation on Debian > package handling for newbies, please send it on. I've read a lot of > man pages and docs on the web site, and I'll keep reading till I get > it all. But the abundance of package handling tools and front ends is > quite bewildering to someone who's used to RPM and only RPM. TIA. http://newbiedoc.sourceforge.net/ has a lot of helpful information that's Debian specific. Written by Debian users for Debian users. HTH, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: New user Q: Best way to stay up to date on "testing"?
Hi, > I am wondering what the best way is to go about staying up to > date. If I run > apt-get -s upgrade I'm told that apt wants to upgrade about > 15 packages, most > of which seem to be related to X (we won't ever be using X on > this server. it > wasn't originally installed and I"d like to get rid of it but > some other > package I installed had a dependancy on some gtk thing that > had one on X. Oh > well). You should just uninstall all the packages related to X, then ;) > > Could anyone confirm that "upgrade" is the right way to stay > up to date. I'm > not going to run it automatically, and I'll always do a test > run first to > make sure nothing disastrous is going to happen. > > Is running upgrade on a regular basis a bad idea for any reason? On the contrary: I think running upgrade on a regular basis is a very good idea. I've been running debian testing for a few weeks now, and I 'have' to do updates once about every two days. Never had any problems - you just run 'apt-get update; apt-get upgrade' and get a cup of coffee, and everything just keeps working perfectly. Certainly if you're going to check which updates are being done, I don't see what could go wrong. By the way - my stable system needs updates once about every two weeks, just so you know. Because I got tired of checking if updates were needed by hand (not something you're willing to do if updates are , I wrote a small cronjob that runs 'apt-get update; apt-get -s upgrade' and checks if the output contains "0 packages upgraded, 0 newly installed, 0 to remove". If it doesn't, it sends me an e-mail :) > > It just seems like I'll need to be as up to date as possible > when Sarge is > declared stable in order to make a smooth transition to > Sarge/Stable. Correct > me if I'm wrong. I've always found it better to update > packages a little at a > time rather than wait till there's dozens of updates to install. I think this is the way to go, though I'm not exactly sure about the entire debian testing/sarge/woody/etc system. I do agree that it's better to update packages a little at a time rather than lots and lots and lots of packages at once. > > If anyone has advise on how to keep a Testing system secure, > I'd really like to hear it. If security is really an issue to you: lots of websites exist on how to make a linux system secure, involving very strict SSH settings, firewalls, etc. For the average user (such as myself) though, I think it should be enough to update your programs (packages) regularly, in order to not be harmed by script kiddies exploiting recent security leaks. Good luck, Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New user Q: Best way to stay up to date on "testing"?
-- Original Message - Subject: New user Q: Best way to stay up to date on "testing"? Date: Fri, 8 Oct 2004 15:18:02 -0500 From: JW <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hello, Sorry to bother everyone with newbie questions, but I'm struggling to understand the entire Debian environment and need a little advise. I have been using SuSE for a long time but recently my job has required me to start administrating a Debian server that was set up with 3.1/Sarge/Testing by the co (server is actually in another state, so I'm stuck with what the co-lo put on it. I like Debian and I'm sure with time I'll figure it all out, but in the short run I need a little help. We are planning on keeping the server for quite a long time, it will be used for part of a billing system (perl/web based). I was reading the security FAQ and am somewhat alarmed to find (if I understand correctly) that Testing is not actively supported by the security team. Youch. If I could put stable on it I would, but for the reasons stated above I can't. It seems to me that the best thing for me to do is keep all the installed software up to date. For one thing, new packages are more likely to contain security fixes (even if they aren't official security patches), and also, I'm hoping that some day in the future Sage will be declared stable and I'll be able to hop on the security train. As a fellow SUSE user, I can tell you Sarge will eventually be declared stable - after the release-critical bugs have been resolved. I have not yet noticed a date for declaring Sarge stable. Probably shouldn't be too much longer, but I'm fairly new to this environment myself. Hopefully the older hands on deck will be more helpful to you in that regard. Don -- DC Parris GNU Evangelist http://matheteuo.org/ [EMAIL PROTECTED] Free software is like God's love - you can share it with anyone anywhere anytime! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
