[vox] Password NOT stolen at linuxworld
Michael Wenk
vox@lists.lugod.org
Mon, 11 Aug 2003 16:42:59 -0700
On Monday 11 August 2003 03:39 pm, Dmitriy wrote:
> On Mon, Aug 11, 2003 at 03:00:14PM -0700, Ryan Castellucci wrote:
> > On Mon, Aug 11, 2003 at 02:16:15PM -0700, Dmitriy wrote:
> > > Testing is inherently insecure. _Don't_ run testing on any publically
> > > accessible computers. It doesn't get security updates.
>
> [snip]
>
> > I claim IGNORANCE!!!!
> >
> > I was not aware of this, I sure wish someone had told me. I needed newer
> > versions of several packages that were not available in stable. Would I
> > be better off running sid in the future?
>
> sid: stuff breaks at times, and security updates are mostly on time,
> yet there are exceptions (like bug #200736 for example).
>
> stable always gets timely security updates.
>
> I bellieve the best approach is to backport some packages from
> testing/unstable (if feasible) and run them on a stable box.
Truth be told, if you rely 100% on what's in the distro(no matter which)
you're just asking to be burned. What you need to do is actively pursue the
security aspect. Subscribe to all the mailinglists, and watch for any
package that may be installed on your box or may be vulnerable. Its a PITA,
but relying on any one thing for security is just asking for it. It only
varies in the volume in which you are asking for it.
Mike
--
wenk@praxis.homedns.org
Mike Wenk