# Stable or amd64, security

## dashko

Hi,

i would like to know, what is more secure, stable packages or ~amd64 packages?

I am wondering if i have to update to latest ~amd64, or stable is secure enough. 

And what about patches? Are there more security fixes in ~amd64 or stable?

Thanks for answers!

----------

## NeddySeagoon

dashko,

How secure is 'secure enough' depends on your application and level of paranoia.

By definition ~arch does not get security 'patches', in that they are not backported. It gets a whole new upstream version.

Further, ~arch may have a later version of a package anyway, so id a new exploit is found in amd64, it might not exist in ~amd64.

For stability, there is little to choose between ~amd64 and amd64 but you need to take care updating ~amd64 as you can get some occasional nasty surprises.

Security is like layers of an onion and the more you have, the more intrusive it gets.

e.g. most secure is to unplug the network connection but that might be too intrusive.

next is to run a hardened system. Thats the gentoo-hardened kernel sources and install, with pax/SElinux/role based security. That can be intrusive too, depending on your settings.

If you will plug the network in, run only the services you need and run a firewall too - with or without hardening.

The firewall can keep nasty things out, and should one get in, stop it from phoning home.

----------

## a3li

 *dashko wrote:*   

> Hi,
> 
> i would like to know, what is more secure, stable packages or ~amd64 packages?
> 
> I am wondering if i have to update to latest ~amd64, or stable is secure enough. 
> ...

 

Our security efforts concentrate on the stable tree, thus advisories only cover stable. We try to keep ~arch as secure as we can as well, but that is only best-effort.

----------

## dashko

 *NeddySeagoon wrote:*   

> Thats the gentoo-hardened kernel sources and install, with pax/SElinux/role based security. That can be intrusive too, depending on your settings.

 

I will try, thanks for point me on the right direction.

 *a3li wrote:*   

> Our security efforts concentrate on the stable tree, thus advisories only cover stable. We try to keep ~arch as secure as we can as well, but that is only best-effort.

 

Thanks, i will recompile my unstable packages. I thought the exact opposite  :Smile: 

----------

