Debian mirrors and sources.list selections

Drake Diedrich dld at coyote.com.au
Wed Jul 3 16:46:40 EST 2002 

On Wed, Jul 03, 2002 at 10:48:19AM +1000, Matthew Hawkins wrote:
> 
> woody != unstable
> 
> There are no security updates for unstable, I guess because unstable
> will get the new packages in any case.  They're also probably trying to
> wean people off running unstable in the future.
> 

   Just to clarify this, the Debian security team (about half a dozen
people?) makes security announcements, backports fixes to the current stable
(and soon-to-be-stable woody), cross compiles on all supported
architectures, etc.  They also often receive early warning of
vulnerabilities, which they forward to the package maintainer (and if they
respond quickly enough may be involved in the security announcement and
backport process).  The security team itself though *does not upload to
unstable*.  This is clearly the maintainer's job.  Sometimes the maintainer
will upload a fixed (often aggressively with little regard to QA or conf
file compatibility) package to unstable before the security team has
backported and compiled all packages for stable - especially when the
backport is complex. Sometimes the Debian security team is first, and very
rarely they are synchronized.  No announcement of vulnerability or fix goes
out with respect to unstable, it's in the changelogs, and maybe on upstream
or global security lists.
   So fixes do go both places, but they aren't in synch, so it's difficult
to say in general which one will be first.  Before the new security
autobuilders the maintainer had a definite edge (no need to worry about
breaking stuff, regular unstable autobuilders already in place, can just
take upstream's latest packages, ...).  Now it's more of an even race.

   Debian-the-organization of course never makes any promises.  It would be
rare though for every maintainer (including the security team) to agree that
a particular fix was not worth someone's effort to upload.  In fact, any
agreement is rare.  :)

   As far as weening goes, there probably are some developers with such an
agenda (maybe even many).  Another topic of potential disagreement.  :) The
market, the community, the chaos, whatever you want to call it will sort out
who uses what.  unstable==sid (the Kid who destroys toys in Toy Story) in
order to scare people.  It hasn't been a terribly effective campaign.


   Some servers run potato (or even slink, for which there are no longer any
updates).  Some run woody.  Some run potato with woody backports.  Some run
unstable, but lag a few weeks or months back, and only catch up when there's
a need (feature or security).  It depends on the service, it's audience, and
such.  apt is especially good at all of these scenarios, assuming the
package dependencies are in fact correct (the most common cause of package
installation troubles on Debian, especially in unstable).  A good reason to
run multiple servers (especially little ones) or to look into UML or one of
those IBM virtual machine boxes.

   rpm-apt .. I can't imagine how it would cope without the package
dependency/conflict information that is built into each .deb.  Seems like it
would work for simple dependcies (libc6, libgtk1.2, ...), but fail for more
complex cases (libgtk1.2-dev conflicting with libgtk1.1-dev due to common
include files, ...).  Providing that information is how Redhat sells their
online update service as I understand it.  RPM-the-format doesn't really
have a good place to store it, and even if it did most RPMs (especially from
third parties) wouldn't have it.

   For sysadmins' and developers' desktops, I recommend just running
unstable, and update whenever you don't have some impending deadline. Or
have two systems, and keep your home directory on the more stable one.
[you wanted an excuse to put a cluster on your desktop, right?]


   That said, if you run unstable, you will regularly see packages with
unfulfillable dependancies, or undeclared conflicts (that break when
installing).  apache2 at the moment for instance.  Even the occaisional
just-plain-broken package.
[ObSnipe]  Kinda like running the latest Redhat release.  :)


-Drake

More information about the linux mailing list