security updates in Etch

r3dhatter · 07-04-2005, 01:40 PM

Just wondering, I installed sarge and upgraded to etch (testing). There is a security line, deb http://security.debian.org/ stable/updates main

If I leave that there will I still get security updates even though I am running testing and not stable? I am running the computer as a desktop so I don't know if I even need it, but I would like it to be as secure as possible. Currently, I have it commented out..because I didn't know if it would work.

BTW, do you guys install Firestarter and SElinux on desktops?
and if you are behind a firewall router, do you still install a firewall?

sorry for the newbie questions but I have never bothered with linux security before.

Thanks.

darkleaf · 07-04-2005, 02:29 PM

Most of the time testing will have the fixes in it already since the version number is higher. The security is just for sarge cause it doesn't change anymore except for security updates.

I'm using firestarter. I have a wireless router but it doesn't have firewalling abilities.

vimico · 07-04-2005, 02:35 PM

Quote:

Originally posted by r3dhatter
Just wondering, I installed sarge and upgraded to etch (testing). There is a security line, deb http://security.debian.org/ stable/updates main

If I leave that there will I still get security updates even though I am running testing and not stable? I am running the computer as a desktop so I don't know if I even need it, but I would like it to be as secure as possible. Currently, I have it commented out..because I didn't know if it would work.

I'm not 100% sure, but these security updates will refer to the 'stable' versions of the software. The version of most software used in Etch will be higher, and these updates will not be used.

The security updates in SID will be the next available version of the program.

Quote:

and if you are behind a firewall router, do you still install a firewall?

Yes, if you are not alone in the local network. And if you are alone... it depends on how much you trust the manufacturer of the router and on how paranoid you are

Dead Parrot · 07-05-2005, 11:46 AM

Take a look at the directory structure: http://security.debian.org/dists/ You'll notice that both "etch" and "testing" are supported and you can change the "stable/updates" part in your sources.list entry either to "etch/updates" or "testing/updates".

However, after the Sarge release there has been some confusion at security.debian.org and some of the security updates that the "testing security team" has uploaded there have not become available for download. http://www.infodrom.org/~joey/log/

I'm sure they'll fix the problems in the very near future. Security has always been high priority for Debian.

craigevil · 07-05-2005, 12:06 PM

Just add
# Security Updates Testing
deb http://security.debian.org/ testing/updates main contrib non-free

r3dhatter · 07-06-2005, 10:55 PM

Oh, I didn't know they made security updates for testing. I thought they didn't do that.

Thanks for the info.

celejar · 07-08-2005, 03:39 PM

I have also been confused for a while about the issue of security in testing. If one does apt-get update; apt-get upgrade then everything gets updated to the latest package version for one's Debian version anyway, testing in this case, so what's the significance of special security updates? Are they only relevant if one is not doing full updates (and only has a reference to the security update and not the general update in the apt sources list) ?

samael26 · 07-08-2005, 03:47 PM

Doing full updates is a sure way of endangering your system , IMO.

If you don't have apt-listbugs installed (first thing to do after installing),

you may not be sure whether such or such app is not going to put a threat

on it, maybe not immediately, but when performing actions you were used to

doing safely before and that may not be so any longer.

When you just read about 'critical bugs' in such or such application in the

'upadate' list, with an option to say 'yes' or 'no', it is much of a relief and

if you do agree, you take a risk but are warned that you do. It is much more

important, I think, than 'security' updates.

A tool like aptitude, or synaptic or even kpackage enables you to select updates one by one which is the best thing to do, I think.

darkleaf · 07-08-2005, 04:21 PM

Depends on what kind of bug it is. If it's a security threat it might be so. But I've never used apt-listbugs and never had much trouble. had to fix some things but that's the fun of it.

Noth · 07-08-2005, 06:05 PM

If you actually look at what's available for etch on the security site you'll see that it's empty.

AFAIK they don't release security updates for testing, if you run testing you pretty much have to wait for the new version of the package to go into sid and then filter into testing automatically.

Xian · 07-08-2005, 06:15 PM

Quote:

Originally posted by Noth
AFAIK they don't release security updates for testing, if you run testing you pretty much have to wait for the new version of the package to go into sid and then filter into testing automatically.

Yes, that's what I've always heard.
The 'testing' repos are not for the security minded.

demian · 07-08-2005, 06:20 PM

If you are concerned about security you do not run testing. Period. There is no formal security support for testing (never has been).

Quote:

http://www.debian.org/security/faq#testing
Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release.