Lenny vs. Etch + Backports

27/09/2007, 14h40

Hi,

After returning to Linux last year as my main desktop OS, I've been
wanting to migrate to Debian. However, put off by the prospect of having
to use backported security fixes on officially retired development
branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far
rather be using either Testing or Backports.

Given that in any case Backports.org currently only seems to draw on
Lenny, and that these days, security vulnerabilities fixed in Sid are
swiftly brought over into Testing, what are the specific advantages of
using Etch + Backports?

Regards,

Michael

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/09/2007, 16h50

On Thu, Sep 27, 2007 at 02:37:03PM +0100, Michael C wrote:
> Hi,
>
> After returning to Linux last year as my main desktop OS, I've been wanting
> to migrate to Debian. However, put off by the prospect of having to use
> backported security fixes on officially retired development branches such
> as Thunderbird/Icedove 1.5 (for up to two years!), I'd far rather be using
> either Testing or Backports.
>
> Given that in any case Backports.org currently only seems to draw on Lenny,
> and that these days, security vulnerabilities fixed in Sid are swiftly
> brought over into Testing, what are the specific advantages of using Etch+
> Backports?

Take this with a grain of salt as I'm a sid user, but I think as long as
all the new software you need is Icedove, stable+backports should be
better. If you find you are installing a significant amount of software
from backports (or just don't find what you need) maybe you should
consider testing, but don't expect everything to Just Work (TM).

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+8+PqJyztHCFm9kRAkcAAKCIca7MFFtMUuBm1whqLl uHgvfTJwCgo2DU
KU4ujbkBpGbd6tlAyOWf/80=
=j8Or
-----END PGP SIGNATURE-----

27/09/2007, 19h20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael C wrote:
> Hi,
>
> After returning to Linux last year as my main desktop OS, I've been
> wanting to migrate to Debian. However, put off by the prospect of having
> to use backported security fixes on officially retired development
> branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far
> rather be using either Testing or Backports.
>
> Given that in any case Backports.org currently only seems to draw on
> Lenny, and that these days, security vulnerabilities fixed in Sid are
> swiftly brought over into Testing, what are the specific advantages of
> using Etch + Backports?

I am not sure if I understand correctly: What are your objections
against debian's way of security fixes?

The advantage of etch is that it is 'stable'. If you want/need more
recent software and like to discover bugs and to get them sorted
out, you could use 'testing' or unstable. Those also require more
upgrading and more work on your part.

The advantage of backports.org is that it provides more recent versions
of some software packages. If you want a 'stable' system, but require a
more recent version of one or a few packages take them from backports.

If icedove and firefox/iceweasel are your only concern, I would stick to
stable (+ backports, but only if that it is really important to you).

HTH,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+/QNC1NzPRl9qEURArlaAJ4g9m0lsk5HY1AC30JyNBt+0rK3aQCa A86n
hCHWIzRuX1o3F908J7ew4tE=
=8xYa
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/09/2007, 21h40

Johannes Wiedersich wrote:

> I am not sure if I understand correctly: What are your objections
> against debian's way of security fixes?

Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May,
the 1.0.x branch's security status is no longer being actively
investigated by upstream developers, but assuming that Lenny takes as
long to come to fruition as Etch, come Debian's next major release its
developers -- with fewer resources than upstream, I should imagine --
will have been searching out and patching vulnerabilities in an
abandoned codebase for more than 20 months.

I've no doubt that the resulting code's more stable than upstream's,
it's just that I'd rather place my trust in the upstream codebase (or
Debian patches based thereon).

Not a very original objection, but a reasonable-sounding pretext for
moving away from Stable

Best wishes,

Michael

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/09/2007, 08h20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael C wrote:
> Johannes Wiedersich wrote:
>
>> I am not sure if I understand correctly: What are your objections
>> against debian's way of security fixes?
>
> Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May,
> the 1.0.x branch's security status is no longer being actively
> investigated by upstream developers, but assuming that Lenny takes as
> long to come to fruition as Etch, come Debian's next major release its
> developers -- with fewer resources than upstream, I should imagine --
> will have been searching out and patching vulnerabilities in an
> abandoned codebase for more than 20 months.
>
> I've no doubt that the resulting code's more stable than upstream's,
> it's just that I'd rather place my trust in the upstream codebase (or
> Debian patches based thereon).
>
> Not a very original objection, but a reasonable-sounding pretext for
> moving away from Stable

[I'm not a security expert and I don't follow this in every detail, so
take my statements carefully and with a grain of salt. ]

I personally view it this way:
- - upstream replace each mozilla-* version with a new version. This means
that at the same time a security issue is fixed, a new one may arise due
to new features etc.
- - for each security issue discovered, debian carefully checks whether it
affects the version in stable. If so, the issue gets fixed and it is
rather unlikely that 'new' security holes are introduced this way.

I can't ultimately tell by hard facts, which approach is more secure,
but my experience with debian's approach has been good.

You could also run stable etch and install firefox et al. from mozilla's
website... I think that even includes an automatic update feature. (Have
never tried this myself, though.)

YMMV, HTH, best wishes!

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG/Kn8C1NzPRl9qEURAsPwAJ9EjE8jEQKPyk5m32DVLszV/pY0YgCeORqr
HELajNPo4KZdXug5xmPK/wk=
=aFuv
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/09/2007, 14h40	#1
Michael C Messages: n/a Hébergeur:	Lenny vs. Etch + Backports Hi, After returning to Linux last year as my main desktop OS, I've been wanting to migrate to Debian. However, put off by the prospect of having to use backported security fixes on officially retired development branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far rather be using either Testing or Backports. Given that in any case Backports.org currently only seems to draw on Lenny, and that these days, security vulnerabilities fixed in Sid are swiftly brought over into Testing, what are the specific advantages of using Etch + Backports? Regards, Michael -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/09/2007, 16h50	#2
Andrei Popescu Messages: n/a Hébergeur:	Re: Lenny vs. Etch + Backports On Thu, Sep 27, 2007 at 02:37:03PM +0100, Michael C wrote: > Hi, > > After returning to Linux last year as my main desktop OS, I've been wanting > to migrate to Debian. However, put off by the prospect of having to use > backported security fixes on officially retired development branches such > as Thunderbird/Icedove 1.5 (for up to two years!), I'd far rather be using > either Testing or Backports. > > Given that in any case Backports.org currently only seems to draw on Lenny, > and that these days, security vulnerabilities fixed in Sid are swiftly > brought over into Testing, what are the specific advantages of using Etch+ > Backports? Take this with a grain of salt as I'm a sid user, but I think as long as all the new software you need is Icedove, stable+backports should be better. If you find you are installing a significant amount of software from backports (or just don't find what you need) maybe you should consider testing, but don't expect everything to Just Work (TM). Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG+8+PqJyztHCFm9kRAkcAAKCIca7MFFtMUuBm1whqLl uHgvfTJwCgo2DU KU4ujbkBpGbd6tlAyOWf/80= =j8Or -----END PGP SIGNATURE-----

27/09/2007, 19h20	#3
Johannes Wiedersich Messages: n/a Hébergeur:	Re: Lenny vs. Etch + Backports -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael C wrote: > Hi, > > After returning to Linux last year as my main desktop OS, I've been > wanting to migrate to Debian. However, put off by the prospect of having > to use backported security fixes on officially retired development > branches such as Thunderbird/Icedove 1.5 (for up to two years!), I'd far > rather be using either Testing or Backports. > > Given that in any case Backports.org currently only seems to draw on > Lenny, and that these days, security vulnerabilities fixed in Sid are > swiftly brought over into Testing, what are the specific advantages of > using Etch + Backports? I am not sure if I understand correctly: What are your objections against debian's way of security fixes? The advantage of etch is that it is 'stable'. If you want/need more recent software and like to discover bugs and to get them sorted out, you could use 'testing' or unstable. Those also require more upgrading and more work on your part. The advantage of backports.org is that it provides more recent versions of some software packages. If you want a 'stable' system, but require a more recent version of one or a few packages take them from backports. If icedove and firefox/iceweasel are your only concern, I would stick to stable (+ backports, but only if that it is really important to you). HTH, Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG+/QNC1NzPRl9qEURArlaAJ4g9m0lsk5HY1AC30JyNBt+0rK3aQCa A86n hCHWIzRuX1o3F908J7ew4tE= =8xYa -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/09/2007, 21h40	#4
Michael C Messages: n/a Hébergeur:	Re: Lenny vs. Etch + Backports Johannes Wiedersich wrote: > I am not sure if I understand correctly: What are your objections > against debian's way of security fixes? Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May, the 1.0.x branch's security status is no longer being actively investigated by upstream developers, but assuming that Lenny takes as long to come to fruition as Etch, come Debian's next major release its developers -- with fewer resources than upstream, I should imagine -- will have been searching out and patching vulnerabilities in an abandoned codebase for more than 20 months. I've no doubt that the resulting code's more stable than upstream's, it's just that I'd rather place my trust in the upstream codebase (or Debian patches based thereon). Not a very original objection, but a reasonable-sounding pretext for moving away from Stable Best wishes, Michael -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/09/2007, 08h20	#5
Johannes Wiedersich Messages: n/a Hébergeur:	Re: Lenny vs. Etch + Backports -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael C wrote: > Johannes Wiedersich wrote: > >> I am not sure if I understand correctly: What are your objections >> against debian's way of security fixes? > > Let's take the example of Seamonkey/Iceape. Officially EOL'd as of May, > the 1.0.x branch's security status is no longer being actively > investigated by upstream developers, but assuming that Lenny takes as > long to come to fruition as Etch, come Debian's next major release its > developers -- with fewer resources than upstream, I should imagine -- > will have been searching out and patching vulnerabilities in an > abandoned codebase for more than 20 months. > > I've no doubt that the resulting code's more stable than upstream's, > it's just that I'd rather place my trust in the upstream codebase (or > Debian patches based thereon). > > Not a very original objection, but a reasonable-sounding pretext for > moving away from Stable [I'm not a security expert and I don't follow this in every detail, so take my statements carefully and with a grain of salt. ] I personally view it this way: - - upstream replace each mozilla-* version with a new version. This means that at the same time a security issue is fixed, a new one may arise due to new features etc. - - for each security issue discovered, debian carefully checks whether it affects the version in stable. If so, the issue gets fixed and it is rather unlikely that 'new' security holes are introduced this way. I can't ultimately tell by hard facts, which approach is more secure, but my experience with debian's approach has been good. You could also run stable etch and install firefox et al. from mozilla's website... I think that even includes an automatic update feature. (Have never tried this myself, though.) YMMV, HTH, best wishes! Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/Kn8C1NzPRl9qEURAsPwAJ9EjE8jEQKPyk5m32DVLszV/pY0YgCeORqr HELajNPo4KZdXug5xmPK/wk= =aFuv -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email