On Mon, Jul 26, 2010 at 08:34:23PM +0700, Sthu Deus wrote: > Thank You for Your time and answer, Rob: > > > That's about as official > > as you can get without a Debian release manager being in charge of > > it, I guess. > > What difference does it make in sense of security? > I've had a busy week. I think we were talking about Live images of Debian Testing, right?
These images are made periodically. I don't know if any particular schedule is followed. Security updates can be added via aptitude if you use "persistence". Persistence lets you save changes to your live system to a USB stick, for instance. (In fact, the whole live system can run off of a USB stick instead of a CD). All this means that security updates are the same for the normal Testing distro. Exactly what state that is in currently, I'm not sure. There is/was an official security team for Testing, but I know it had a rough period recently. I don't think timely security updates for Testing are guaranteed right now, but I could be wrong. One thing about the Debian Live systems is that the kernel cannot be upgraded via apt-get or aptitude. A new image has to be built in order to get the latest kernel. If you are asking about security in the sense of "can I trust these images", I don't have a clear answer for you. The author is a Debian developer. He has earned some degree of trust in order to get to that position. Do his live-helper packages receive scrutiny from the Debian team before being admitted into the repositories -- scrutiny that his Live images do not receive because they aren't released through official Debian channels? I don't know the answer to that. If you are concerned about that, though, you can build your own images using the live-helper package on your Debian system. You can even use a Lenny system to build a Squeeze image if you want. I know there have been some comments in another thread that you are being too paranoid. I get what you're after, though. GPG calls it web of trust. If you can't personally verify that something/somebody is trustworthy, maybe you can find somebody you trust who can verify for you. I hesitate to profess trust for things that I haven't personally verified. I've used a premade Live image before, and nothing bad happened, but I won't tell you that it is safe because I really don't know that for sure. I believe it, but I don't know it. "Trust me" is a phrase best left in the closed source world, in my opinion. -Rob
signature.asc
Description: Digital signature
