Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   backports security (http://www.linux-archive.org/debian-user/282913-backports-security.html)

Sthu Deus 11-19-2009 06:16 AM

backports security
 
Good day.

I have searched backport, wiki web sites and still can not understand: does debian security team works with its packages or not? In other words, using stable only and desiring the same security quality, I would not use the backports repo? Am i correct?

Thank You for Your time.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Sven Hoexter 11-19-2009 06:42 AM

backports security
 
On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote:
> Good day.
>
> I have searched backport, wiki web sites and still can not understand: does debian security team works with its packages or not? In other words, using stable only and desiring the same security quality, I would not use the backports repo? Am i correct?

backports.org is not under the hands of the Debian security team.

Usually backports are based on packages from testing, in case of security
issue uploads based on packages from unstable are allowed aswell.
It's usually the uploader of the backport who is responsible to care for
uploads in case of security issue. So it doesn't hurt if you keep an eye on
the backports aswell that you install. Since you should install only selected
backports where needed you've to monitor just those very few selected packages.

Additionaly there is a backports-security-announce list where backporters
announce security relevant uploads.


Gerfried: Maybe that's something that should be noted in the FAQ aswell?

Sven
--
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
[The Cardigans - 03:45: No sleep]


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Gerfried Fuchs 11-19-2009 11:55 AM

backports security
 
Hi!

Thanks to Sven for bringing the thread to my attention.

* Sven Hoexter <sven@timegate.de> [2009-11-19 08:42:49 CET]:
> On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote:
> > I have searched backport, wiki web sites and still can not
> > understand: does debian security team works with its packages or
> > not? In other words, using stable only and desiring the same
> > security quality, I would not use the backports repo? Am i correct?
>
> backports.org is not under the hands of the Debian security team.

Likewise with unstable and testing these days unfortunately. Too little
people able to put their efforts into it, overworked and stuff.

> Usually backports are based on packages from testing, in case of
> security issue uploads based on packages from unstable are allowed
> aswell. It's usually the uploader of the backport who is responsible
> to care for uploads in case of security issue. So it doesn't hurt if
> you keep an eye on the backports aswell that you install. Since you
> should install only selected backports where needed you've to monitor
> just those very few selected packages.

I tried to track it myself and pester people to update their packages,
though currently I'm in a bit of time constrain trouble myself and have
to priorize other things, it's not like if I wouldn't like to continue
on that front. :/

> Additionaly there is a backports-security-announce list where
> backporters announce security relevant uploads.

And there is support in the security-tracker to look up open issues and
pester people that don't update their packages on backports when the fix
did finally hit unstable. Fell free to follow the links from
<http://security-tracker.debian.org/tracker/> about "Vulnerable packages
in backports".

> Gerfried: Maybe that's something that should be noted in the FAQ
> aswell?

Is now, was overdue, and thanks for the prod. :)
Rhonda


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Jesús M. Navarro" 11-20-2009 07:20 PM

backports security
 
Hi Gerfried:

On Thursday 19 November 2009 13:55:25 Gerfried Fuchs wrote:
> Hi!
>
> Thanks to Sven for bringing the thread to my attention.
>
> * Sven Hoexter <sven@timegate.de> [2009-11-19 08:42:49 CET]:
> > On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote:
> > > I have searched backport, wiki web sites and still can not
> > backports.org is not under the hands of the Debian security team.
>
> Likewise with unstable and testing these days unfortunately. Too little
> people able to put their efforts into it, overworked and stuff.

Unfortunately? I'd better say "by design". Unstable/Testing is not there to
provide a product to final users but to provide a testbed for software
integration. If there's a problem with a software package you:
a) Resolve it if it's a problem with the way Debian packages it.
b) Wait for upstream to resolve the problem.

I don't see how deriving away to those goals would be in benefit of anyone,
even if you could count with enough hands to manage the task. I in fact find
that too many times package maintainers are to "bland" regarding what
their "real work" should be in that neither unstable nor testing is the
testbed for *the programs* but for their packaging so I wouldn't send to
unstable software known to be non-production ready (i.e.: KDE prior to 4.4 or
even 4.5).


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Paul E Condon 11-20-2009 10:36 PM

backports security
 
On 20091120_212056, Jes?s M. Navarro wrote:
> Hi Gerfried:
>
> On Thursday 19 November 2009 13:55:25 Gerfried Fuchs wrote:
> > Hi!
> >
> > Thanks to Sven for bringing the thread to my attention.
> >
> > * Sven Hoexter <sven@timegate.de> [2009-11-19 08:42:49 CET]:
> > > On Thu, Nov 19, 2009 at 02:16:15PM +0700, Sthu Deus wrote:
> > > > I have searched backport, wiki web sites and still can not
> > > backports.org is not under the hands of the Debian security team.
> >
> > Likewise with unstable and testing these days unfortunately. Too little
> > people able to put their efforts into it, overworked and stuff.
>
> Unfortunately? I'd better say "by design". Unstable/Testing is not there to
> provide a product to final users but to provide a testbed for software
> integration. If there's a problem with a software package you:
> a) Resolve it if it's a problem with the way Debian packages it.
> b) Wait for upstream to resolve the problem.
>
> I don't see how deriving away to those goals would be in benefit of anyone,
> even if you could count with enough hands to manage the task. I in fact find
> that too many times package maintainers are to "bland" regarding what
> their "real work" should be in that neither unstable nor testing is the
> testbed for *the programs* but for their packaging so I wouldn't send to
> unstable software known to be non-production ready (i.e.: KDE prior to 4.4 or
> even 4.5).

Your position is commendable as an ideal way to operate Debian, but ...
In the real world, there a lot of people who are quite unaware of how special
Debian is, and think, quite unrealistically, that it is just another variant
of RedHat or Ubuntu or whatever. Without backports, these people would be
constantly nagging for a way to cross-install packages from other distros.
I think life would actually be a lot less pleasant for people like you who
want to work on a good, solid, reliable distro.

--
Paul E Condon
pecondon@mesanetworks.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Jesús M. Navarro" 11-22-2009 12:07 AM

backports security
 
Hi, Paul:

On Saturday 21 November 2009 00:36:12 Paul E Condon wrote:
> On 20091120_212056, Jes?s M. Navarro wrote:

[...]

> > Unfortunately? I'd better say "by design". Unstable/Testing is not
> > there to provide a product to final users but to provide a testbed for
> > software integration. If there's a problem with a software package you:
> > a) Resolve it if it's a problem with the way Debian packages it.
> > b) Wait for upstream to resolve the problem.
> >
> > I don't see how deriving away to those goals would be in benefit of
> > anyone, even if you could count with enough hands to manage the task. I
> > in fact find that too many times package maintainers are to "bland"
> > regarding what their "real work" should be in that neither unstable nor
> > testing is the testbed for *the programs* but for their packaging so I
> > wouldn't send to unstable software known to be non-production ready
> > (i.e.: KDE prior to 4.4 or even 4.5).
>
> Your position is commendable as an ideal way to operate Debian, but ...
> In the real world, there a lot of people who are quite unaware of how
> special Debian is

Therefore the proper path of action is tell them what to expect. I think it's
even in the Bible: teach the ignorant.

> Without backports, these
> people would be constantly nagging for a way to cross-install packages from
> other distros.

I won't buy that. Without backports *and* knowledge, maybe. Backports fill
an important and interesting hole, but come to a price. Using third party
packages (may) fill an important hole, but come to a price. It is both the
responsibility and the advantage of the user to know how it is expected from
them to use some tools and, anyway, what's the price they'll have to pay for
them, so they can properly find the cost/benefit equation. No one is
benefiting anyone by hiding the related costs of a choosing till it's too
late.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 01:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.