What is best practice for managing sources.list for security and stability?

Hi all,

Perhaps this is a "it depends..." kind of question but here it goes:

I manage  several Debian boxes running Etch and Lenny. I installed
Debian because I want long term stability and support for the
applications
running on the servers. After I build a box and get my applications
tweaked I usually comment out everything except the security entries
like so:

cat /etc/apt/sources.list

#deb http://ftp.us.debian.org/debian/ etch main
#deb-src http://ftp.us.debian.org/debian/ etch main

deb http://security.debian.org/ etch/updates main contrib
deb-src http://security.debian.org/ etch/updates main contrib

The recent key-change forced me to use the main stable repos to get
the new keys (e.g apt-get install debian-archive-keyring )
.  and got me thinking...

Is the approach I outlined the "best" way to maintain the security and
stability of these box's or should I really be using the main
repositories as well?

Thanks!

John


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi John,

On moandei 25 Maaie 2009, john wrote:
> The recent key-change forced me to use the main stable repos to get
> the new keys (e.g apt-get install debian-archive-keyring )
> .  and got me thinking...
>
> Is the approach I outlined the "best" way to maintain the security and
> stability of these box's or should I really be using the main
> repositories as well?

I understand where you're coming from, but I do recommend to enable the main
repositories aswell. There are several reasons for that.

You may miss essential changes to keep the system running, like the APT
keyrollover you mentioned; you also miss stability improvements, and less
pressing security bugfixes which are released in stable point updates.
Packages are only let into a stable point update after they get a lot of
scrutiny. Only packages are accepted that fix really serious bugs, or smaller
security issues that do not warrant a DSA. The stable release managers review
each package before it may enter. Packages are only added in a point release
which is announced on debian-announce, so you can review the changes before
installing them.


cheers,
Thijs

john <lists.john@...> writes:

We've never had any trouble using the main repositories as well.  You
get some additional more minor security bug fixes (DoS bugs, crashers,
and similar things) that way, the amount of change isn't much higher,
the stability for us has been fully as good as the security updates in
practice, and periodically there are things like the archive key change
that go into point releases that you want.

--
Russ Allbery (rra@...)               <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Mon, May 25, 2009 at 11:49:26AM -0700, john wrote:
We maintain local mirrors of the main and security repos for the
varieties of Debian we use (Etch and Lenny in i386 and AMD64
flavors) plus a local repo of our own packages. All this can be
considered staging: we can pull from it for a test box, and if
it goes well, move the package into our production repo.

This costs a bit in disk space (but not so much as it once did!)
and saves a bit in bandwidth, which is really pronounced as
"works faster when we need it".

-dsr-



--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.

You can't defend freedom by getting rid of it.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Thanks Thijs, Russ and Dan.

I appreciate the insight.

John



--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...