On Sunday 16 November 2003 00:24, Jesse Meyer wrote: > Debian-stable (the branch you want to be using for servers) tends to > be several months to a year behind the bleeding edge. This bothers > some people. For a server, I'd rather go with a tested solution then > the bleeding edge, but others differ.
It's obviously a Good Thing[tm] to be as stable as possible on a server. However, what I don't get, is when you have packages like Snort, so outdated that you should not use them, see DSA-297, why are they still kept back. That's a real problem, IMHO. I really can't see that there is any advantage to not upgrade these packages in the distro itself, for example at point releases. Obviously, you could argue that updating a package would break some admin's system, but really, an admin who does use stable's package needs a wake-up-call anyway. The same thing goes for e.g. Spamassassin, chkrookit, nessus, and I guess a few more. The funny thing is that many of these are security related; I mean, what a perfect way to trojan a bunch of newbie's machines: The newbie hears on debian-user that he must update some of these packages: So, there is a malicious cracker who put a site up with "official updates", which the newbie finds on Google (or apt-get.org, perhaps), ads it to his sources.list. Instantly, he gets a version of Snort that ignores attacks and chkrootkit with a rootkit... Also, since the newbie probably hasn't met anyone for a keysigning party, signatures won't mean anything to him. Elegant, huh? So, what level of experience would be required to discover such an attack? I'm not sure I would discover it myself, but then, I _am_ pretty much a newbie myself. :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
