On Tue, Jan 04, 2005 at 07:45:12PM -0500, Roberto Sanchez wrote: > >I subscribe to debian-security (+ d-s-announce) and get reports whenever > >there's anything released. > >I know what is installed on my boxes, so I know if this announcement > >affects me. > > > You are probably in the minority, then. >
Yes, probably, but I'm using testing, which isn't supported by the standard security team. Therefore, it's now my sole reponsibility to look at security changes. > >Recently, I did have a box rooted. This was due to a user running phpbb > >on the system, without me knowing, despite the policy of no software > >without clearance from me. > > > That really sucks. > Yup. It's annoying to have to travel down to London because of it. The user was suitably 'chastised' :) > The only you did not address is when there is a security fix for which > there is not an announcement. If a package is not already in Woody, > then it is not receiving security team support and will go under the > radar. Additionally, some maintainers work closely with upstream and > fix the problems almost immediately. In both of those cases, you would > need to be monitoring the changelog for each of your packages and > watching for security-related changes to packages. > These normally crop up in either: * security list and/or * various irc channels However, it's not something that I would expect a normal user to do. But I woudn't be expecting a normal user to be using testing for a production system. > That makes me wonder. I know that there are tools like cron-apt that > will perform apt-related tasks through cron jobs. Is there a way to > make it (or another tool) download the changelogs and email you any new > ones? > Would be worth writing, but IMO a list with various people looking at different changelogs is just as reliable. Like various lists already out there :) Warm regards, Neil -- A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
signature.asc
Description: Digital signature
