Cliff Flood wrote: > How do people feel about running Sarge or Sid facing the Internet > considering it doesn't get security updates as promptly as Woody? I'm > more concerned about daemons and remote exploitation than local issues. > What, in the past, have been the response times for updated patched > OpenSSH packages, for example, to make it to either unstable or testing?
Well just as an example, the last serious ssh security hole, bug #281595, was discovered in April 2003, didn't hit the Debian bts until November 2004, and was fixed in sid 12 days later, and probably sarge 2 days after that. Stable is still vulnerable. Perhaps that's a bad example, it was a minor hole that slipped through the cracks until a recent security audit of sarge for old holes. The one before that, CAN-2003-0693, was made public on 16 sep 03 and fixed in stable on and in unstable on the same day. I don't have records but I'd assume the fix hit sarge 2 days later. Hope that helps, though I doubt it. I will say that I doubt that many people have devoted the time to looking at the rates security holes are fixed in stable, unstable, and testing to sensibly compare them. Much of the received wisdom on this topic is out of date or wrong. -- see shy jo
signature.asc
Description: Digital signature
