[thelist] Just moved from Vista to Ubuntu -Web Dev Help???
Bill Moseley
moseley at hank.org
Thu Oct 1 18:25:19 CDT 2009
On Thu, Oct 1, 2009 at 12:08 PM, Hassan Schroeder <
hassan.schroeder at gmail.com> wrote:
> On Thu, Oct 1, 2009 at 11:44 AM, Bill Moseley <moseley at hank.org> wrote:
>
> >> Thanks. As I thought, woefully out of date (and horribly muddled).
>
> > Are you refering to Debian or yourself? ;)
>
> Debian.
>
> > Security updates come
> > automatically -- so if you are not paying attention to every bit of
> > self-compiled code's email list you are safer. I get security updates a
> few
> > times a week on my Ubuntu desktop.
>
> > Stability and security are where it's at.
>
> So you say, apparently still missing my point that Debian's Tomcat
> packaging (at least) is way out-of-date with regard to *security* fixes.
>
Sorry, I have no knowledge of the specifics of Debian's Tomcat package. You
asked for about Debian security policy so I posted the link.
If you know of specific security issues with the Debian package that you
think the package maintainer is unaware of it would be probably be good to
let them know.
I'm pretty sure the maintainers are just humans that volunteer to manage the
packages, so some are probably more on top of things than others.
Just a quick search, but does this include the security issues you are
concerned with?
http://patch-tracker.debian.org/package/tomcat5.5/5.5.26-5
I'm not sure if that's a list of patches applied or if there's a separate
list of security patches. Maybe others can provide more details.
Again, maintainers often will back patch so older versions have newer
security updates. Just not newer features. So, the version number is not a
good indication.
> So why would I trust it to be better with other bundled apps?
>
I would not assume that newer packages are more secure. The old insecure
versions were once new.
There's no way I can audit all the source of code we use. So, for me it
helps to track a package that are widely used by a distribution with the
idea that a new bug will get noticed by the maintainer.
Personally, I don't trust myself to notice that some bit of software has a
security issue that requires a quick fix. I had a bind9 compromise once
because I was managing my own version. I was even on the bind9 list. I
just missed it. I would have been protected if I had used the packaged
version as a security update that had been released months before.
I don't see any reason for someone developing with Ubuntu to not use the
packages -- less to worry about when first starting out. They can decided
when to compile from source when there's a reason.
That said, I don't see anything wrong with your approach as long as you are
confident you can track updates and announcements.
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list