Secure testing team - Jun 2006 - Re: Bug#372721: http://www.debian.org/security/faq#testing wrong

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi -security,

	I would like your help with regards to #372721:

On 06/11/2006 07:09 AM, Simon Waters wrote:
> Package: www.debian.org
> Severity: important
> 
> 
> http://www.debian.org/security/faq#testing
> 
> refers to http://secure-testing-master.debian.net/
> 
> which no longer responds.
> 
> Debian announcement 
> http://lists.debian.org/debian-devel-announce/2006/05/msg00006.html
> 
> Should be incorporated into the FAQ
> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, ''unstable'')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.15.2
> Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

	The FAQ needs a couple of changes. I start rewriting it but I
have a couple of doubts:

How is security handled for testing and unstable?
   A: The short answer is: it''s not. Testing and unstable are rapidly
moving
   targets and the security team does not have the resources needed to
   properly support those. If you want to have a secure (and stable) server
   you are strongly encouraged to stay with stable.  However, work is in
   progress to change this, with the formation of a
   [1]testing security team which has begun work to offer security support
   for testing, and to some extent, for unstable.


	For testing it is not true anymore. But what about unstable?


How does testing get security updates?

   A: Security updates will migrate into the testing
   distribution via unstable.  They are usually uploaded with
   their priority set to high, which will reduce the quarantine time
   to two days.  After this period, the packages will migrate into
   testing automatically, given that they are built for all
   architectures and their dependencies are fulfilled in testing.

   The [1]testing security team also makes security fixes available in
   their repository when the normal migration process is not fast enough.


	This topic also changes. As I understood it, we should replace
with something like: "testing gets security updates in the same way that
stable does", is that correct?


	Thanks in advance,

1.http://secure-testing-master.debian.net/
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFEkh2WCjAO0JDlykYRAqo5AKCODQHqd7Rvlk/dTmpTor/vv3gJbACfUl4S
h4Rk7B6JOJ4ZJ0uhrJZwuMg=i4P3
-----END PGP SIGNATURE-----

Felipe Augusto van de Wiel (faw) wrote:
>    A: Security updates will migrate into the testing
>    distribution via unstable.  They are usually uploaded with
>    their priority set to high, which will reduce the quarantine time
>    to two days.  After this period, the packages will migrate into
>    testing automatically, given that they are built for all
>    architectures and their dependencies are fulfilled in testing.
> 
>    The [1]testing security team also makes security fixes available in
>    their repository when the normal migration process is not fast enough.
> 
> 
> 	This topic also changes. As I understood it, we should replace
> with something like: "testing gets security updates in the same way
that
> stable does", is that correct?
No. While the technical infrastructure may be in place, security support
for testing is not up to par with stable due to a lack of manpower.
It''s
still not recommendable to use it for a production system.

Cheers,
        Moritz