* Johannes Wiedersich [2006-06-01 12:39]: > > I'm about to install sarge on a (production) server of my own, and > > would rather like to have the latest versions of: > > * mysql (5.0) > > * vim (7.0) > > * the Linux kernel (2.6.16) [ppc] > > Since these are not in sarge, I'm considering using backported > > versions from backports.org. I was however unable to find much > > information on the effect on security of using backports.org. Since > > this server will expose several services to the internet (apache, > > subversion, mysql), I want to make sure that it is, and stays, secure. > > So these are my questions: > > * Are you using unofficial repositories (e.g. backports.org) on > > production servers ? > > Not any more, but I used to when I needed a more recent samba than that > on woody. (Now using sarge). I now use it on my productive laptop for > kernel and OO 2.0, but the latter only very seldom. > > > * Do you (and can I) trust backports.org ? > > I'm not from backports.org, but I don't know why you should trust their > mysql 5.0 less than what you would backport yourself. In both cases, > the chance to miss an important security update etc. is probably higher > than on stable, but you already knew that.
Do you know what would be the best way to make sure I don't miss any of those updates? If I backport e.g. mysql from unstable/testing, will I be able to rely on security announcements to debian-security, or do I need to check for new vulnerabilities upstream? > If trust is of utmost importance, it is always better to compile > yourself; and if anything goes wrong you know whom to blame :=)) > > (You could achieve even more trust, if you scrutinize the source code > line by line before compiling... ) > > It's always a difficult decision between 'I'd rather have xxx' and > security. If reliability is important, I would rather stick to stable, > but YMMV. I'm more concerned about security than reliability. I can handle occasional downtime if something breaks, but I'd rather avoid my system being compromised. - Felix -- Felix C. Stegerman <[EMAIL PROTECTED]> http://obfusk.net ~ "Any sufficiently advanced bug is indistinguishable from a feature." ~ -- R. Kulawiec ~ vim: set ft=mail tw=70 sw=2 sts=2 et:
pgpHSa3d2mJbi.pgp
Description: PGP signature
