[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

using sarge on production machines

hi

* I have to use testing (sarge). *

All of  my 3 webservers (apache php mysql java tomcat).
on two other webserver I run woody with some packages from sarge (apt-pining)
and the mail relay servers (spamassasin amavisd postfix clamav).

I run sarge because I need more recent packages and I do not want to use an other distro because I dont trust them as I trust the debian project. I do not want to complain about sarge not being released, this is not the place to do that.

but my users (I work for a university of art and do linux based web and mailserver there) want newer packages. 
so somehow I was forced to upgrade to a newer version of debian.

------
* strategies *

so what strategies to use if you are forced to work with a distro other then woody?

1)
running unstable.
the updates are faster. security should be better then in testing.
but stability is far better in testing. 
so the question is:
is it better to have a broken service or an  insecure one?
2)
2a)
using stable with backports:
backports may have security problems and stability problems. you have to trust the maintainer of the package.
and read security news.
I think this is good if you need only few packages.
2b)
running stable with some sarge packages (apt-pining)
the base system is stable and gets the security updates.
some packages come from testing and they are important and they get no security updates.
I think this could be an option if the packages have not many dependencies otherwise this could be bad for stability. but the debian package system is quite flexible and if you configure apt pining correctly it woks astoundingly reliable.
2c)
running stable and compiling newer packages directly from the relative project.
this means a lot of work. I just have not the time for this.
3)
running sarge
sarge works quite stable. but has many updates. however they work.
sometimes configration problems can happen during an update but they can be fixed easily.
I am using debian for quite a while now also on desktop and testing had never real stability problems.
so there is the security problem. sarge does not get any security updates. even right now that the sarge base system has been frozen.

so am trying 2b and 3 both works for quite a while now on my servers but I am more afraid about security problems than stability.

the problem I have is that I have very little time and can not track every security issue every time. so I must find some simple resources or strategies to keep my systems save. 

----
* weapons *

so I have subscribed to some mailing lists:
debian-security-announce@lists.debian.org 
this is cool!

also I have an eye on:
http://merkel.debian.org/~joeyh/testing-security.html
great work!

and for some special packages I can use the direct apt source of the trusted maintainer of a specific package
for example clamav:
http://people.debian.org/~sgran/
 
this might be even better than stable because I get the updates of the virus scanner very fast because sgran does a very good job.

so, for a mail relay with spam filter and virus scanner sarge might be better and on some aspects more secure than stable. 
-----
what strategies are best?

please write some opinions and suggestions about this issue.
I am a bit worried and I begin to be nervous because of sarge is still testing. 
If you can help me with suggestions about how to deal best with the problem of using sarge in productive environments.
(without changing the distro)


thank you a lot.

kuene
Reply to: