[Tfug] backporting packages with Woody

[Claude Rubinson]

On Tue, Nov 25, 2003 at 02:15:53PM -0700, Jeremy Rogers wrote:
> Um... I was always under the impression that testing fit nicely
> between stable and unstable.  This is the primary reason I use it.
> Is there any reason to beleive that unstable is "more supported" or
> gets security patches more quickly than testing?

That's a common misconception.  Although Testing is more stable than
Unstable, it may be less secure.  Testing is automatically generated
from Unstable.  After a package is uploaded to Unstable, it will
*automatically* be moved into testing after a certain period of days
if and only if (1) no additional release-critical bugs are reported by
users of Unstable, (2) it won't break by being uploaded into Testing
(i.e., it's dependencies are satisfied), and (3) it won't break
anything else by being uploaded into Testing.  Note that this is all
done by scripts; there's no human intervention here.

In theory, what this means is that a package in Testing may severely
lag behind Unstable for a variety of reasons (a bug is reported,
dependencies aren't met, or the maintainer uploads a newer version of
the package).  In practice, this doesn't tend to occur frequently and
Testing typically tracks Unstable fairly closely.  But, if an exploit
is found in some package and Unstable gets the fix immediately,
Testing won't get the fix for at least 2 days, probably longer.
Because of this, it's absolutely critical that those of us who track
Testing keep on top of our security policies.  (Not that it isn't
critical for everyone to keep on top of security policies.)

Admittedly, I'm oversimplifying.  For more detail, see:
http://www.debian.org/devel/testing

Claude