On Fri, Oct 19, 2018 at 04:14:47PM +0200, Raphael Hertzog wrote: > > The main thing: concerns were raised by several of the cloud platforms > > people that LTS security doesn't seem to be working very well. They're > > not seeing fixes happening for known issues, and so at the moment they > > don't have trust in the process. > > Really? This is the first time I hear such feedback. Can you put me in > touch with the person(s) who made those claims so that I can try to have > more concrete information about the alleged problems? I'm sure a lot of it is a matter of perception, but the level of integration of LTS with the stable lifecycle does not seem as deep as someone familiar with Debian stable might expect it to be. For example, security announcements being published to a list other than debian-security-announce makes it feel very unofficial and does not invoke the same level of confidence in the commitment (it is somewhat remeniscent of the secure-testing effort). Lack of integration with packages.debian.org and incomplete coverage of the archive also present problems. For exaple, despite the existence of DLA 1531, I cannot find evidence of a 4.9 kernel for jessie on packages.debian.org except in jessie-backports, and backports is well documented as not having official security support. (Again, I realize that this may be a matter of visibility and perception.) For my part, as maintainer of the images on AWS, I don't want to prevent people currently using the jessie images from continuing to do so. I simply don't want new (to AWS or to Debian) users from starting out with jessie. As such, I've made the jessie listings slightly less discoverable using AWS interfaces, and have noted their deprecation on the relevant Debian wikis. Somebody who is familiar with LTS and interested in using it is certainly welcome to do so, though. noah
Attachment:
signature.asc
Description: PGP signature