On 2023-04-18 13:52:13 -0400, Jeffrey Walton wrote: > On Tue, Apr 18, 2023 at 1:46 PM Frank <zuiderd...@gmx.com> wrote: > > Interesting. Like Tixy, I was under the impression testing didn't > > receive security support. I remember checking that several times over > > the years. Curious.
Anyway, in the time of freeze like now (probably with more users trying testing), isn't it important that testing gets security updates? > I did not think so, either. But have a look at > https://www.debian.org/security/faq#testing and This one does not concern testing-security, but security updates that "migrate" from unstable to testing, like any other update for unstable (so this is just "testing", not "testing-security"): Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by ^^^^^^^^^ transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. There is a better solution concerning the "in the months after a new stable release" case, even for users using unstable: have "stable-security" in apt sources (e.g. /etc/apt/sources.list). Since stable is new, most packages are based on the same version as stable. That way, users can benefit from security updates for stable. > https://wiki.debian.org/DebianTesting . This is strange that If you are tracking testing or the next-stable code name, you should always have a corresponding deb http://security.debian.org <"testing" or codename>-security main entry in your apt sources. See this FAQ-Item. links to the above FAQ item, as testing-security is not related to what the above FAQ-Item says. This may confuse users. This wiki page also links to the more detailed https://www.debian.org/doc/manuals/securing-debian-manual/ch10.en.html#security-support-testing which first mentions the unstable-to-testing migration like the FAQ, but also says: Additionally, the http://secure-testing-master.debian.net can issue Debian Testing Security Advisories (DTSAs) for packages in the testing branch if there is an immediate need to fix a security issue in that branch and cannot wait for the normal procedure (or the normal procedure is being blocked by some other packages). Users willing to take advantage of this support should add the following lines to their /etc/apt/sources.list (instead of the lines described in Section 4.2, “Execute a security update”): deb http://security.debian.org testing/updates main contrib non-free # This line makes it possible to donwload source packages too deb-src http://security.debian.org testing/updates main contrib non-free which is out-of-date: use testing-security instead of the old testing/updates (this changed in July 2019). This is the following bug (from July 2019): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931520 -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
