[SlugLUG] Debian As A Server
Rick Moen
rick at linuxmafia.com
Mon Jun 12 09:52:55 PDT 2006
Quoting Eric Carter (eacarter at ucsc.edu):
> If I recall correctly, testing isn't going to be a good choice for what
> you're looking for. While it is slightly more stable than unstable, it's
> not supported by the security team. And since packages sit in testing
> for longer than they sit in unstable that means the stable version will
> be patched, the unstable version will have the new version (presumably
> including the security fix) and you'll still be stuck with the unpatched
> version in testing.
Here's my (admittedly eccentric) solution:
:r /etc/apt/preferences
Package: *
Pin: release a=unstable
Pin-Priority: 50
:r /etc/apt/sources.list
deb ftp://ftp.us.debian.org/debian/ testing main contrib non-free
deb ftp://ftp.us.debian.org/debian/ unstable main non-free contrib
deb http://security.debian.org/ testing/updates main contrib non-free
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src ftp://ftp.us.debian.org/debian/ unstable main non-free contrib
(And I subscribe to debian-security-announce, and read relevant DSAs
attentively.)
In case it's not obvious how the above works: I have the default branch
set to testing, but unstable-branch packages are available upon specific
request, thus:
# apt-get -t unstable install <packagename>
When not specified by branch name, unstable-branch packages are
otherwise never fetched, because their pin-priority is set to 50, where
100 is normal.
I call that "eccentric" in part because it's a bass-ackwards way of
using Debian's "pinning" mechanisms -- but it sure works. ;->
There's never yet been a case where the DSA fix isn't available either
in testing or unstable, in several years of operating production servers
in that fashion. I keep expecting to have to manually fetch something
from stable (per URL in the DSA) and "dpkg -i" it -- or compile a local
package from upstream sources, or remove a package and replace it with
a competing one (or not replace it at all), but so far I've never needed
any of those fallbacks.
More information about the Sluglug
mailing list