On Thursday 15 January 2004 17:33, Rich Puhek wrote: > Depending on what you're doing, pinning actually can work quite well.
Yup, and I do it on my workstation (not that I understand it, it is rather magic to me). > Snort is related to you overall system security, yes, but new > releases of Snort have to do with your desire to run the latest and > greatest releast of a package, not with security issues. Well, that's not how I read DSA-297. I have no desire to run the latest and greatest release of a package on my production server, to the contrary, with the notable exception of SpamAssassin. I would argue that it is only because of security issues I would ever consider upgrading a package on a production server (and mine isn't even in production yet! :-) ). > it may use snort just because it's handy for > detecting strange patters which could indicate other network > problems, etc. It could even have some locally-grown programs that > use some snort tools. OK, valid argument, still, wouldn't it be rather rare compared to actually using it for what it is intended for? > True, but security issues aren't forcing people to use backports. If > they are, they don't understand how Debian handles security. Again, that's not how I read DSA-297. > It's kind of off the topic, but if you're concerned about tools like > snort, et. al., you should be at the experience level where verifying > signatures of untrusted packages, It has nothing to do with experience. Sometimes, you just don't have the WOT needed to verify a package. Most probably, only those who have at some point attended a Debian keysigning party have a WOT suitable for that, and perhaps people who live in an area with many Debian users. In sparsely populated areas like Norway, a good WOT is a real luxury, and one of past year's most luxurious evenings was the Debian keysigning party... :-) >upgrading to testing|unstable, You don't want to do that on a production system. > doing apt-get source, or simply building from a tarball are viable > options for you. Yep, but it is still besides the point: Really good reason for keeping outdated packages in the archive (ok, you provided one above)? > > Again, I'm fine with backports for many packages, and I'm fine with > > the general release cycle, it's just the small number of critical > > security-related packages that I feel needs some discussion. > > What's the difference if someone downloads a backport of snort or a > backport of a window manager? Big difference: If the WM is a bit unstable, or it has a bit weird performance at times, I don't care. It's the cost of running unstable software. But if the NIDS fails to recognize an attack that's been known for two years, it is pretty serious. > Either way, if the backport is evil, you're screwed. Yup, but that was a side-note. > IMHO, it's been discussed to death already. Whether you want a brand > new version of snort or a new version of KDE is irrelevant to the > discussion of upgrades, the same issues still apply. Well, it may be that it has been discussed to death. I'm rather new here. But I respectfully disagree that the type of package is irrelevant to the discussion. Basically, I just like to hear your thoughts, because I really haven't found any good answers. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
