Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

security update: bullseye-security or testing-security

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
jackcast
Posts: 3
Joined: 2019-07-11 23:40

security update: bullseye-security or testing-security

#1 Post by jackcast »

Hello guys , I am a debian testing user.
When buster is in testing, the security line used to be

Code: Select all

deb http://security.debian.org/debian-security buster/updates main contrib non-free
Since buster has been stable for some days, I need to edit my sources.list file,replace buster with bullseye, right?
And bullseye is now the testing, I want to know what's the difference between bullseye-security & testing-security,that is

Code: Select all

deb http://security.debian.org/debian-security bullseye-security/updates main contrib non-free
deb http://security.debian.org/debian-security testing-security/updates main contrib non-free

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

#2 Post by GarryRicketson »

If you are going to be using Debian testing you should read all of the documentation on Debian testing, Just scraping the surface here:
https://www.debian.org/security/faq#testing
Q: How is security handled for testing?

A: Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
https://wiki.debian.org/DebianTesting
To upgrade to testing from current stable, if you have already installed the stable release:

Edit your /etc/apt/sources.list file, changing 'stable' (or the current codename for stable) to 'testing' (or the current code name for the next stable release).

Remove or comment out your stable security updates line(s) (anything with security.debian.org in it).
Remove or comment out any other stable-specific lines, like *-backports or *-updates.

Verify that your installation is not fixed to a specific release in /etc/apt/apt.conf.d/00default-release
There is much more that should be read, :
https://www.debian.org/releases/testing/
Please note that security updates for "testing" distribution are not yet managed by the security team. Hence, "testing" does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to buster for the time being if you need security support. See also the entry in the Security Team's FAQ for the "testing" distribution.

wurstkraft
Posts: 2
Joined: 2018-01-05 20:53

Re: security update: bullseye-security or testing-security

#3 Post by wurstkraft »

This has been posted by Ansgar Burchardt on debian-devel-announce yesterday:
Hi,

over the last years we had people getting confused over <suite>-updates
(recommended updates) and <suite>/updates (security updates). Starting
with Debian 11 "bullseye" we have therefore renamed the suite including
the security updates to <suite>-security.

An entry in sources.list should look like

deb http://security.debian.org/debian-security bullseye-security main

For previous releases the name will not change.

Ansgar

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

#4 Post by GarryRicketson »

Thanks, and that is a good point I sort of forgot to mention, for those that want to use Debian testing, they can stay informed if they check:https://lists.debian.org/debian-devel-announce/
From:
https://www.debian.org/releases/testing/
---snip--
In addition, general status reports are posted by the release manager to the
debian-devel-announce mailing list.
The announcement had not yet been posted when I was posting here, but yes, I see it was posted late yesterday,https://lists.debian.org/debian-devel-a ... 00004.html

Code: Select all

Date: Thu, 11 Jul 2019 22:01:01 +0200 
Thanks for sharing

jackcast
Posts: 3
Joined: 2019-07-11 23:40

Re: security update: bullseye-security or testing-security

#5 Post by jackcast »

thanks a lot,GarryRicketson and wurstkraft.
I decided to stay with bullseye-security, just like buster when buster is in testing, I think it will not be long debian security team to handle security issues.
I never intended to view https://lists.debian.org, it seems like I ignored a lot of useful information.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: security update: bullseye-security or testing-security

#6 Post by Head_on_a_Stick »

jackcast wrote:I decided to stay with bullseye-security, just like buster when buster is in testing, I think it will not be long debian security team to handle security issues.
Did you actually read Garry's posts? There is no coverage at all for the testing branch from the Security Team and there never will be.

Furthermore because of the transition delay from sid any vulnerabilities may remain exposed for up to two weeks after upstream fixes are issued so Debian testing is probably one of the least secure GNU/Linux distributions available.
deadbang

jackcast
Posts: 3
Joined: 2019-07-11 23:40

Re: security update: bullseye-security or testing-security

#7 Post by jackcast »

Head_on_a_Stick wrote:Did you actually read Garry's posts? There is no coverage at all for the testing branch from the Security Team and there never will be.

Furthermore because of the transition delay from sid any vulnerabilities may remain exposed for up to two weeks after upstream fixes are issued so Debian testing is probably one of the least secure GNU/Linux distributions available.
So I misunderstood ? Yes, I noticed following quote.This is my understanding, if I use debian-security buster/updates, I will get security update timely, if I keep with bullseye-security for some months, I won't get security upate, but it's possible to get security upate some months later, but delays may occur.I run debian as daily uses, so lags are accepted. Oh, I think I made a big mistake.
GarryRicketson wrote:there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind.
GarryRicketson wrote:Please note that security updates for "testing" distribution are not yet managed by the security team. Hence, "testing" does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to buster for the time being if you need security support.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: security update: bullseye-security or testing-security

#8 Post by GarryRicketson »

Thanks H_O_A_S :
There is no coverage at all for the testing branch from the Security Team and there never will be.
I should have been more clear, but I thought the OP would see that, based on the information on the Wiki and other documentation, apology for not stating it so clearly.

djk44883
Posts: 107
Joined: 2010-12-11 13:14
Has thanked: 2 times

Re: security update: bullseye-security or testing-security

#9 Post by djk44883 »

jackcast wrote: if I use debian-security buster/updates, I will get security update timely, if I keep with bullseye-security for some months, I won't get security upate, but it's possible to get security upate some months later, but delays may occur.I run debian as daily uses, so lags are accepted. Oh, I think I made a big mistake.
months!?! By it's nature of testing... it's )supposedly) under active development. If there's a security issue, I would hope it would be fix with in days. Have you looked to see if there are any file in the repos you thought you'd use? or the one's you've used?

the devel mailing list references most likely is for consistency, moving forward. I'd never found anything in (when in testing) buster-updates or buster/updates, whichever. Thought it seemed pointless, since "testing" was updated routinely, so how do you differentiate an update?

Post Reply