Debian Backports security related question

If none of the more specific forums is the right place to ask

Debian Backports security related question

Postby Michael_aust » 2006-06-11 23:57

At present I am running the testing branch. But for one reason or another I am thinking of putting stable on another machien over testing, primaraly because it seems packaes seem to be disapaearing an awful lot from the testing repos while they remain in stable and unstable.

So if I go with sarge I will be using Debian backports to update a number of packages to newer versions most notably kde, openoffice and a number of others. My question is do the maintainers have any kind of security policy? For example say a security vulnerability was found inthe latest kde in backports and a newer fixed version was uploade to sid or etch, would backports package it up and replace the previous one that had the security issue? Or do they only package new versions for release versions rather then bug/security fixes?

Michael.
Debian etch - 2.6.15-1 686
Michael_aust
 
Posts: 6
Joined: 2006-03-23 21:02
Location: Lancashire (United Kingdom)

Postby Lux » 2006-06-12 08:25

I've recently started mixing testing and unstable on my desktop system (I used to follow testing only). Now I mainly track testing but aptitude fetches all the missing dependences from unstable -- it's a great new feature in aptitude that it suggests different possible solutions when dependencies are not satisfied. And I can also easily install packages from unstable whenever I want.

I added the following to /etc/apt/apt.conf:
Code: Select all
APT::Default-Release "testing";

The man page for apt_preferences gives an example of what you can write to /etc/apt/preferences if you track both testing and unstable. This technique of tracking two branches and setting their priorities in /etc/apt/preferences is called "apt-pinning".

Debian has two security teams: one for stable and one for testing. Unstable doesn't need a security team because it gets security updates from upstream by packaging the latest versions of software. Backports, on the other hand, is not part of the official Debian distribution. It is just a service that some Debian developers offer in their free time to the users of Debian stable. Hence, backports doesn't receive any security updates -- it's up to the backports maintainers, if they've got enough free time, to update the packages that have known security problems.

This, at least, is my comprehension of the situation. Feel free to correct me if I'm wrong.
"Hit the philistines three times over the head with the Elisp reference manual."
-- Michael A. Petonic --
User avatar
Lux
 
Posts: 474
Joined: 2006-01-25 13:00
Location: Finland


Return to General Questions

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable