Re: On cadence and collaboration

To: debian-project@lists.debian.org, Marc Haber <mh+debian-project@zugschlus.de>
Subject: Re: On cadence and collaboration
From: Noah Meyerhans <noahm@debian.org>
Date: Wed, 5 Aug 2009 15:23:05 -0400
Message-id: <[🔎] 20090805192305.GD4273@morgul.net>
Mail-followup-to: Noah Meyerhans <noahm@debian.org>, debian-project@lists.debian.org, Marc Haber <mh+debian-project@zugschlus.de>
In-reply-to: <[🔎] 4A799BA6.80106@ubuntu.com>
References: <[🔎] 4A794F22.7090902@ubuntu.com> <[🔎] 20090805113226.GC24853@torres.zugschlus.de> <[🔎] 4A799BA6.80106@ubuntu.com>

On Wed, Aug 05, 2009 at 03:48:06PM +0100, Mark Shuttleworth wrote:
> >>  If upstream knows, for example, that MANY distributions will be
> >>  shipping a particular version of their code and supporting it for
> >>  several years (in fact, if they can sit down with those distributions
> >>  and make suggestions as to which version would be best!) then they
> >>  are more likely to be able to justify doing point releases with
> >>  security fixes for that version... which in turn makes it easier for
> >>  the security teams and maintainers in the distribution.
> >>     
> >
> > In practice, most upstreams adopt a "you're using a version that's two
> > weeks old, go update to our current development snapshot and see
> > yourself whether the bug is still there" attitude.
> >   
> That's true. To upstream there is "tip" (which all real developers run,
> right? ;-)) and then there's "the cloud of released versions which
> distributions are still shipping". It's hard to get their attention
> about the particular version that any one distribution is shipping, but
> I think it's reasonable to believe it would be easier to get their
> attention about a version that *many* distributions adopted.

Additionally, even if upstream isn't willing to provide any help to
distros shipping what they consider to be a "stale" version, the distros
are in a better position to help each other if they're shipping similar
versions.  We see this sort of cooperation _all the time_ in the
security community via the vendor-sec mailing list.  Patches for a given
problem may be proposed by a representative from one distro, reviewed by
members of several others, finally used by even more.  This may all
happen with or without help from upstream.  Either way, it's easier for
everybody involved if people are using similar versions.  I suspect we'd
see a lot more help from upstream developers if they knew they only had
to come up with a fix for a given problem once, rather than for several
different versions.  We benefit either way, though.

noah

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: On cadence and collaboration
  - From: Mark Shuttleworth <mark@ubuntu.com>

References:
- On cadence and collaboration
  - From: Mark Shuttleworth <mark@ubuntu.com>
- Re: On cadence and collaboration
  - From: Marc Haber <mh+debian-project@zugschlus.de>
- Re: On cadence and collaboration
  - From: Mark Shuttleworth <mark@ubuntu.com>

Prev by Date: Re: On cadence and collaboration
Next by Date: Re: On cadence and collaboration
Previous by thread: Re: On cadence and collaboration
Next by thread: Re: On cadence and collaboration
Index(es):
- Date
- Thread