security update: bullseye-security or testing-security

New to Debian (Or Linux in general)? Ask your questions here!

security update: bullseye-security or testing-security

Postby jackcast » 2019-07-12 00:11

Hello guys , I am a debian testing user.
When buster is in testing, the security line used to be
Code: Select all
deb http://security.debian.org/debian-security buster/updates main contrib non-free

Since buster has been stable for some days, I need to edit my sources.list file,replace buster with bullseye, right?
And bullseye is now the testing, I want to know what's the difference between bullseye-security & testing-security,that is
Code: Select all
deb http://security.debian.org/debian-security bullseye-security/updates main contrib non-free
deb http://security.debian.org/debian-security testing-security/updates main contrib non-free
jackcast
 
Posts: 3
Joined: 2019-07-11 23:40

Re: security update: bullseye-security or testing-security

Postby GarryRicketson » 2019-07-12 00:27

If you are going to be using Debian testing you should read all of the documentation on Debian testing, Just scraping the surface here:
https://www.debian.org/security/faq#testing
Q: How is security handled for testing?

A: Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

https://wiki.debian.org/DebianTesting
To upgrade to testing from current stable, if you have already installed the stable release:

Edit your /etc/apt/sources.list file, changing 'stable' (or the current codename for stable) to 'testing' (or the current code name for the next stable release).

Remove or comment out your stable security updates line(s) (anything with security.debian.org in it).
Remove or comment out any other stable-specific lines, like *-backports or *-updates.

Verify that your installation is not fixed to a specific release in /etc/apt/apt.conf.d/00default-release

There is much more that should be read, :
https://www.debian.org/releases/testing/
Please note that security updates for "testing" distribution are not yet managed by the security team. Hence, "testing" does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to buster for the time being if you need security support. See also the entry in the Security Team's FAQ for the "testing" distribution.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

Postby wurstkraft » 2019-07-12 08:10

This has been posted by Ansgar Burchardt on debian-devel-announce yesterday:
Hi,

over the last years we had people getting confused over <suite>-updates
(recommended updates) and <suite>/updates (security updates). Starting
with Debian 11 "bullseye" we have therefore renamed the suite including
the security updates to <suite>-security.

An entry in sources.list should look like

deb http://security.debian.org/debian-security bullseye-security main

For previous releases the name will not change.

Ansgar
wurstkraft
 
Posts: 2
Joined: 2018-01-05 20:53

Re: security update: bullseye-security or testing-security

Postby GarryRicketson » 2019-07-12 12:51

Thanks, and that is a good point I sort of forgot to mention, for those that want to use Debian testing, they can stay informed if they check:https://lists.debian.org/debian-devel-announce/
From:
https://www.debian.org/releases/testing/
---snip--
In addition, general status reports are posted by the release manager to the
debian-devel-announce mailing list.

The announcement had not yet been posted when I was posting here, but yes, I see it was posted late yesterday,https://lists.debian.org/debian-devel-announce/2019/07/msg00004.html
Code: Select all
Date: Thu, 11 Jul 2019 22:01:01 +0200

Thanks for sharing
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

Postby jackcast » 2019-07-13 22:15

thanks a lot,GarryRicketson and wurstkraft.
I decided to stay with bullseye-security, just like buster when buster is in testing, I think it will not be long debian security team to handle security issues.
I never intended to view https://lists.debian.org, it seems like I ignored a lot of useful information.
jackcast
 
Posts: 3
Joined: 2019-07-11 23:40

Re: security update: bullseye-security or testing-security

Postby Head_on_a_Stick » 2019-07-14 10:25

jackcast wrote:I decided to stay with bullseye-security, just like buster when buster is in testing, I think it will not be long debian security team to handle security issues.

Did you actually read Garry's posts? There is no coverage at all for the testing branch from the Security Team and there never will be.

Furthermore because of the transition delay from sid any vulnerabilities may remain exposed for up to two weeks after upstream fixes are issued so Debian testing is probably one of the least secure GNU/Linux distributions available.
Don't break DebianHow to report bugs

SharpBang GNU/Linux® — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10695
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: security update: bullseye-security or testing-security

Postby jackcast » 2019-07-14 13:16

Head_on_a_Stick wrote:Did you actually read Garry's posts? There is no coverage at all for the testing branch from the Security Team and there never will be.

Furthermore because of the transition delay from sid any vulnerabilities may remain exposed for up to two weeks after upstream fixes are issued so Debian testing is probably one of the least secure GNU/Linux distributions available.


So I misunderstood ? Yes, I noticed following quote.This is my understanding, if I use debian-security buster/updates, I will get security update timely, if I keep with bullseye-security for some months, I won't get security upate, but it's possible to get security upate some months later, but delays may occur.I run debian as daily uses, so lags are accepted. Oh, I think I made a big mistake.
GarryRicketson wrote:there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind.

GarryRicketson wrote:Please note that security updates for "testing" distribution are not yet managed by the security team. Hence, "testing" does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to buster for the time being if you need security support.
jackcast
 
Posts: 3
Joined: 2019-07-11 23:40

Re: security update: bullseye-security or testing-security

Postby GarryRicketson » 2019-07-14 13:18

Thanks H_O_A_S :
There is no coverage at all for the testing branch from the Security Team and there never will be.

I should have been more clear, but I thought the OP would see that, based on the information on the Wiki and other documentation, apology for not stating it so clearly.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

Postby djk44883 » 2019-07-15 01:23

jackcast wrote: if I use debian-security buster/updates, I will get security update timely, if I keep with bullseye-security for some months, I won't get security upate, but it's possible to get security upate some months later, but delays may occur.I run debian as daily uses, so lags are accepted. Oh, I think I made a big mistake.



months!?! By it's nature of testing... it's )supposedly) under active development. If there's a security issue, I would hope it would be fix with in days. Have you looked to see if there are any file in the repos you thought you'd use? or the one's you've used?

the devel mailing list references most likely is for consistency, moving forward. I'd never found anything in (when in testing) buster-updates or buster/updates, whichever. Thought it seemed pointless, since "testing" was updated routinely, so how do you differentiate an update?
djk44883
 
Posts: 81
Joined: 2010-12-11 13:14


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable