[Techtalk] Using Debian Testing (Sarge) on production servers

[Carla Schroder]

On Friday 05 March 2004 5:16 pm, Rasjid Wilcox wrote:
> I'm planning on moving from my current web-hosting providers to a 
> user-mode-linux virtual server provider.  (The best option so far looks like 
> Linode.com).
> 
> I like Debian as a server platform, but Stable is just too old in many 
cases.
> 
> I have met one sysadmin who runs Testing with some packages pinned to 
Unstable 
> to get security fixes quickly.
> 
> Any views or thoughts would be appreciated.

What security fixes? Stable gets the highest priority, Testing gets security 
fixes rather slowly, and Unstable gets none. For a server, I wouldn't touch 
Unstable with a ten-foot pole, it's asking for trouble. There's usually not a 
lot of difference between Testing and Unstable as far as releases goes, to me 
it's not worth the risk to gain a fractional point release.

There are two approaches that make sense to me:

1. Run a base Stable system, and add packages from Testing only as you need 
them. This minimizes your risk of being 'sploited.

2. Run a completely Testing system. It's a little less work, but you better 
have a really really good firewall! and don't forget egress filtering.

Pinning is a major PITA. Another way to manage a mixed system is to 
use /etc/apt/apt.conf. Add this line to it:

APT::Default-Release "stable"

Then edit your sources.list to include sources for both Stable and Testing, 
and run apt-get update. Now when you do "apt-get install foo", it will 
default to Stable. To install or update a package from Testing, there are two 
ways:

apt-get install testing foo
apt-get install foo=1.0.11

Specifying the release numbers ensures that you will get exactly the version 
you want.
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
www.tuxcomputing.com
this message brought to you
by Libranet 2.8 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~