On Monday 14 March 2005 20:07, Julien BLACHE wrote: > Stephen Gran <[EMAIL PROTECTED]> wrote: > >> > Thus the problem is less in the development and more in the support > >> > of testing requirements (all arches in sync) and stable support > >> > (security response time). Therefore the N<=2 requirement is only > >> > needed for tier-1 arches but not for the tier-2 which will not > >> > officially release a stable. > >> > >> What is the detailed reasoning for this requirement anyway ? > > > > I thought that was fairly clear - a 12 day build of a security fix is > > unacceptable, especially since it hampers getting that fix out the door > > for everyone else. > > Then we have to adjust our security support policy. Define Tier-1 > archs for security support, release updates for them first. Then for > the others. I fail to see how this could be a problem.
The problem for me is on machines (like my old sparc nameserver, providing service for 1500 users, being attacked multiple times a day) where receiving a security update days later[1] is no option. Having sparc in tier-1 without zero-day security updates would be no use to me, because I couldn't honestly say that "all tier-1 architectures are fit for production use and properly supported by Debian." I don't know what to do with tier-1.5 arch fulfilling everything except prompt security updates. Regards, David [1] Time to Exploitation after announcement is going down to hours. Attack rates are in the some-per-hour range. Prototype flashworm simulations reach 99% infection in seconds. And I don't see how it is getting any better. -- - hallo... wie gehts heute? - *hust* gut *rotz* *keuch* - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
