From: Shachar Shemesh (linux-il_at_nonexisting.hamakor.org.il)
Date: Thu 22 Jul 2004 - 14:12:35 IDT
Ira Abramov wrote:
>Bom Dia, Miki! Todu bem?
>
>Quoting Ben-Nes Michael, from the post of Thu, 22 Jul:
>
>
>>If you go for Debian use the testing branch ( Sarge ) and not the stable (
>>woody ), I mistakly went for woody and now I need lots of backports.
>>
>>
Well, you can rectify that pretty easily. Upgrading Debian in place is
the slickest I've seen, and often does not even require a reboot. If you
also upgrade the kernel, you will require a reboot, but the system is up
for the entire time before and after the reboot.
Keep in mind, however, that Debian's guarantee that no config changes
will happen that will break your app does not hold when upgrading from
one branch to another, so it's not an operation I'd do automatically. As
such, I highly recommend changing all the apt sources from "stable" to
"woody", so that automatic upgrade does not happen when you do not
expect it to.
>
>a. I'm a bit conservative. for production servers I still stick to woody
>and sources like dotdeb.org that proved itself worthy. you COULD run
>workstations with unstable, but I would only do that if your users are
>knowledgable.
>
>
And if you have a fast Internet connection (broadband). Unstable can
easily amount to 10-20MB of updates a DAY, more on some weeks.
>b. in any case "testing" is usually a bit more broken than either stable
>or unstable. it's not for production, especially not servers.
>
>
And NEVER run it on production servers, as both Ira and me know. If you
look at a typical Debian security advisory, it will contain the new
package for Stable and Unstable. Testing's security fixes are very slow
to arrive. We have, in fact, had a server broken into as a result of this.
>>>last, who has a more secure patching policy/practice, Mandrake or Debian ?
>>>
>>>
As for practice, this is very hard to measure or estimate.
As a not-representing random problem, the latest PHP problem was posted
to "Full Disclosure" on July 15th, 1:53 am. Mandrake released a fix on
2:19, and Debian on only on the 21st (six days later), at 5:41am. On the
other hand, in other cases, Debian were way ahead of the others. This is
usually an indication that Debian's security team did not deem this
problem worthy of an urgent fix (no remote exploitation, for example).
As for policy, however, you cannot beat Debian's "dont' upgrade -
backport" policy. It means that on a "stable", a security update will
*never* break your config due to changes between minor software
versions. This gives Debian's patches very very high marks on their
stability front, which allows for automatic upgrades almost without fear.
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting ltd. http://www.lingnu.com/ ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Thu 22 Jul 2004 - 14:24:36 IDT