On Sat, Jan 11, 2003 at 07:37:55PM -0500, Bruno Diniz de Paula wrote: > So what you mean is that if someone finds a security flaw on any > package, the security team of Debian is informed and consequently the > maintainer of that package is informed. Then the maintainer updates the > package at woody/potato, advertises that and, at the same time, updates > the unstable version. This would mean that, in terms of solved bugs in > the *sofware* that could cause a security flaw, both woody and sid are > exactly equal. Is it that?
well at the same time all kinds of other software updates are happening
in unstable as well. the security fix might be uploaded, and then 2
hours later package for the next upstream release might be uploaded as
well (and introducing half a dozen new bugs in the process), and it's
all the same to apt-get upgrade.
personally (though this is just imho) i think that if you're really
concerned about security, it'd be better to run a stable release. if
there are later versions of specific packages that you really want, there
are alternative ways of getting them while still maintaining a mostly
stable system (such as "pinning", or using deb-src lines for testing
and/or unstable and building your own packages with apt-get source -b)
this way you have stable's security update infrastructure working for you.
sean
msg23618/pgp00000.pgp
Description: PGP signature
