Re: Is it secure to use testing/backport repos for production server?
On Thu, Apr 16, 2009 at 21:57, Boyd Stephen Smith Jr. b...@iguanasuicide.net wrote: If you trust upstream for that package, you might want to follow backports/testing/unstable/experimental for that package. I'm running unstable and clamav also complains that it's outdated. That's just a result of upstream desire conflicting with Debian policy. Upstream wants you to always be using the latest (stable) release. Debian policy is to not introduce new upstream versions during the lifetime of the stable release. What about unstable? I've already had two packages who's latest unstable debian package is older (version number) than upstream's latest unstable. So why is it unstable? I've been running unstable since Woody, how unstable is experimental? Nuno -- () ascii ribbon campaign - against html e-mail /\ ascii-rubanda kampajno - kontraŭ html-a retpoŝto -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
In 6b1504c40904180435j28f28b6er584addcefb0b...@mail.gmail.com, Nuno Magalhães wrote: On Thu, Apr 16, 2009 at 21:57, Boyd Stephen Smith Jr. Upstream wants you to always be using the latest (stable) release. Debian policy is to not introduce new upstream versions during the lifetime of the stable release. What about unstable? I've already had two packages who's latest unstable debian package is older (version number) than upstream's latest unstable. So why is it unstable? Because it changes often and without warning. However, there's no automated process that goes from upstream's release tarballs to an unstable package; the human maintainer(s) are responsible for that. If you have a specific package in mind and it has been more than (roughly) a week, you might file a bug or at least mail the maintainer. If the package has a good debian/watch file and the maintainer is following the package on the PTS, they've already received one email. New upstream releases can go in to unstable any time. However, there are good reasons a maintainer might decide not to upload to unstable during a freeze of testing. Depending on what transitions are going on in testing/unstable, a maintainer might hold off so that the dependencies of the package settle. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Is it secure to use testing/backport repos for production server?
Boyd Stephen Smith Jr. writes: Depending on what transitions are going on in testing/unstable, a maintainer might hold off so that the dependencies of the package settle. A maintainer may also not consider the new upstream version ready for Debian, may have it installed on his machine and be testing it, or may be working on the extensive changes that are sometimes necessary to get a new release to build and run on Debian. There is a lot more to it than just building and uploading the package. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
Sthu Deus wrote: Thank You for Your time and answer, Michael: It really all depends how well you know Debian, and how mission-critical the server is; or if it's a single-user or multi-user system -- There are a lot of factors to take into account. I think any server admin. wants that his server/work will not be destroyed in any mission critical degree. Now I' m speaking about single user that has bash access (me) + many users that use proxy on it, postfix, ftp. - So, if this can narrow Your advice, I would like to hear it. Realistically, the most 'secure' choice would be to use stable with backports, but most things are still outdated. And for a production environment you need up-to-date software; in cases like these I'd recommend using testing. Thank You, again, And what is Your opinion on volatile for clamav, for example - It always says to me, it is out dated. If you are happy with the software version in stable, then use stable, you will have far less updates. For clamav I would recommend you to use volatile. Best regards, Rafael. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
On Thu, Apr 16, 2009 at 11:39:25AM -0500, Boyd Stephen Smith Jr. wrote: In 20090416152722.ga23...@greedo, Michael Pobega wrote: On Thu, Apr 16, 2009 at 09:50:46PM +0700, Sthu Deus wrote: Is it secure to use testing/backport repos for production server? Realistically, the most 'secure' choice would be to use stable with backports, No, it would be stable plus security. No, in the choices he gave it'd be stable with backports; what I meant to say was out of the two you said, but I didn't convey that clearly enough I suppose. -- http://fuzzydev.org/~pobega http://identi.ca/pobega -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
On Thu, Apr 16, 2009 at 09:50:46PM +0700, Sthu Deus wrote: Good day. Is it secure to use testing/backport repos for production server? Thank You for Your time. It's really your choice. Backports is probably a lot safer than testing, but personally I haven't had a real problem in my two years of running Debian testing. It really all depends how well you know Debian, and how mission-critical the server is; or if it's a single-user or multi-user system -- There are a lot of factors to take into account. Realistically, the most 'secure' choice would be to use stable with backports, but most things are still outdated. And for a production environment you need up-to-date software; in cases like these I'd recommend using testing. -- http://fuzzydev.org/~pobega http://identi.ca/pobega -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
In 49e7460c.25e2660a.2ffc.2...@mx.google.com, Sthu Deus wrote: Is it secure to use testing/backport repos for production server? IIRC, the Debian security team does not currently provide support for testing or backports. They will provide support for testing in the future, but it was temporarily discontinued due to the large amount of flux caused by the Lenny release. In general, backports is updated in response to security issues, but it seems difficult to determine what DSAs affect backports in general. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Is it secure to use testing/backport repos for production server?
On Thu, Apr 16, 2009 at 09:50:46PM +0700, Sthu Deus wrote: Good day. Is it secure to use testing/backport repos for production server? Generally: on. However you wouldn't be asking this question if there wasn't some important feature you needed from Testing. So the third option to consider is a personal backport maintained and updated by you. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
In 20090416152722.ga23...@greedo, Michael Pobega wrote: On Thu, Apr 16, 2009 at 09:50:46PM +0700, Sthu Deus wrote: Is it secure to use testing/backport repos for production server? Realistically, the most 'secure' choice would be to use stable with backports, No, it would be stable plus security. but most things are still outdated. They are stable (i.e. mostly unchanging) throughout the release cycle, yes. And for a production environment you need up-to-date software; Not really. You need the software to have security bugs fixed and have critical bugs that affect you addressed, both of which are done with stable. Sometimes you may want to pull individual packages from stable-proposed- updates, if one of the fixed release critical bugs affects you and you don't want to want for the release to be updated. You may want to pull select packages from testing or unstable or even experimental, if you need features that were not in the latest release. However, you may need to invest more effort in supporting those packages yourself. I recommend stable+security+volatile for production servers. If you need newer versions than are in stable, then I recommend a mixed system: pin stable+security+volatile at priority 900. Then until you have the package version you need add, in order: backports at priority 800 testing+security[1] at priority 700 backports/testing (usually empty, if available at all) at priority 600 unstable at priority 500 experimental at priority 300 -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ [1] I'd like to say testing+security+volatile, but last time I check the Release file for testing/volatile incorrectly claimed to be stable, which caused pinning problems. signature.asc Description: This is a digitally signed message part.
Re: Is it secure to use testing/backport repos for production server?
Thank You for Your time and answer, Michael: It really all depends how well you know Debian, and how mission-critical the server is; or if it's a single-user or multi-user system -- There are a lot of factors to take into account. I think any server admin. wants that his server/work will not be destroyed in any mission critical degree. Now I' m speaking about single user that has bash access (me) + many users that use proxy on it, postfix, ftp. - So, if this can narrow Your advice, I would like to hear it. Realistically, the most 'secure' choice would be to use stable with backports, but most things are still outdated. And for a production environment you need up-to-date software; in cases like these I'd recommend using testing. Thank You, again, And what is Your opinion on volatile for clamav, for example - It always says to me, it is out dated. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Is it secure to use testing/backport repos for production server?
In 49e791b8.02ab100a.0542.2...@mx.google.com, Sthu Deus wrote: Thank You, again, And what is Your opinion on volatile for clamav, for example - It always says to me, it is out dated. I have volatile enabled, and it says it is outdated to me, too. That's just a result of upstream desire conflicting with Debian policy. Upstream wants you to always be using the latest (stable) release. Debian policy is to not introduce new upstream versions during the lifetime of the stable release. Release-critical and security fixes can be backported the version in the release if need be. If you trust upstream for that package, you might want to follow backports/testing/unstable/experimental for that package. If you don't, trust aptitude (Debian) to let you know when there is an update and ignore the warning. For me, I use stable+security+volatile for my systems that need to be always available and secure. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
