Adrian Bunk <[EMAIL PROTECTED]> writes: > You say you've deployed Debian sarge and sid in server environments > (even sarge, although months old security fixes might be missing???).
Sure. Frankly, sarge has better security support than we ever got from Sun for commercial versions of Solaris. Don't run the things that aren't secure, pay attention to advisories, and be willing to grab something from sid in the case of dire emergencies, and sarge provides a perfectly acceptable security profile. Servers generally expose very few things to the network and one rarely cares about local exploits. Now, Debian stable is far *better* on security, and in fact I would say that Debian stable has better security support than any other operating system I've ever seen. I would *prefer* to have Debian stable's level of security support for servers. But if I have to have Apache 2.x or some other package that just isn't easily available for stable, going with sarge rather than backports is a reasonable decision and one that I'm quite comfortable with. Really, the worry about using sarge in production is not the security support, it's the fact that things keep changing all the time and in ways that may introduce bugs. The stability and the lack of change in anything other than security are the important bits for stable for me, and what I'm currently really missing in an environment where I'm mostly running sarge (mostly because we need Apache 2.x, partly because we also need a newer OpenLDAP). > Regarding sarge: > I do personally know people who had serious mail loss due to #220983. At > the time I reported this bug, it was present in sarge. This problem > couldn't have happened in a Debian stable (because it would have been > discovered before the release would have been declared stable). This > kind of problems that can occur every day in sarge _are_ dangerous > problems. Yeah, this is more the thing that I'd worry about when running sarge on a server. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]