Also sprach Colin Watson (Tue 05 Aug 02003 at 02:24:39AM +0100): > On Mon, Aug 04, 2003 at 08:08:01PM -0500, Michael D. Schleif wrote: > > Also sprach Hugh Saunders (Tue 05 Aug 02003 at 01:25:45AM +0100): > > > erm, why not just run unstable?? mixed stable/testing/unstable looks > > > like a mess to me and probably doesnt help with getting security fixes > > > for stuff either. > > > > Exactly! Since there are *no* un-stable security sources, I'd prefer to > > stick with stable/testing ;< > > I think there might be a slight misunderstanding here. > > Stable gets security updates, but, if you have a version of the package > in question from unstable installed, then the version in the stable > security update will be less than the installed one, and therefore won't > be installed. > > Testing gets *no security updates* apart from those that trickle in from > unstable (or, very rarely, testing-proposed-updates). It is the least > secure distribution. This is mainly a manpower problem on Debian's end, > but it's nevertheless a reality. > > While unstable has no security team explicitly looking after it, it > still gets security fixes, usually reasonably promptly, sometimes before > stable if the maintainer happens to be on the ball, and certainly before > testing. > > In your place, I would go for either stable plus backported bits and > pieces or unstable, depending on the application. I think running mixed > systems is unwise, except perhaps for testing plus bits from unstable, > and even then I'm not sure. On my stable systems, the only > not-from-stable packages I run are ones which I have compiled on stable > from later source; this avoids the "whoops, I dragged in unstable's > libc6 and the world blew up" problem. The sorts of packages that you > most want to keep stable are often exactly the sorts of packages that > dependencies in testing and unstable will force you to upgrade.
I really do want to understand this, because lately I'm being drawn more and more into unstable. A couple months ago, I was drawn from woody/stable into testing, and now my boxen are mostly testing: apt.conf: APT::Default-Release "testing"; Nevertheless, empirically I know that these are valid sources: deb http://security.debian.org stable/updates contrib main non-free deb http://security.debian.org testing/updates contrib main non-free And, this is *NOT* valid: deb http://security.debian.org unstable/updates contrib main non-free Please, correct my misunderstandings, Colin; but, what I understand from your message above is that, regardless of an unstable security source, my boxen would be better off as totally, wholly un-stable? What am I missing? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
pgp00000.pgp
Description: PGP signature
