Re: Announcing EOL for Jessie images

[Paul Dejean <paulcdejean@gmail.com>]

On Tue, Oct 23, 2018, 6:17 AM Martin Zobel-Helas <zobel@ftbfs.de> wrote:

David,

Also from a user’s perspective i would like to hear your feedback on the mail I wrote earlier today to the cloud list... Be aware that none of the timeline in this mail is written into stone yet. It is just a proposal.

Best regards,

Martin 

Am 23.10.2018 um 13:14 schrieb Martin Zobel-Helas <zobel@ftbfs.de>:

Hi David,

My understanding is that removing the images from the vendors market places is to make the images less easy discoverable and to discourage users from spinning new instances from an old image type. I don’t know the exact details for AWS but my guess is those AMI IDs will NOT remain indefinitely but at least longer.

Also be aware that we will release Debian Buster hopefully in the middle of next year. Maybe it is time to switch away from Debian Jessie at one point... Rather sooner than later...

Best regards,

Martin 

Am 23.10.2018 um 12:51 schrieb David Osborne <david@qcode.co.uk>:

Thank you... so the amis themselves should remain indefinitely?

-- 

David

On Tue, 23 Oct 2018 at 11:47, Martin Zobel-Helas <zobel@ftbfs.de> wrote:

>From my understanding Noah only removed the links from the market place, but did not remove the images from the storage. This means by knowing the image AMI IDs you should still be able to rebuild your images on top of our Debian images.

Best regards,
Martin

Are people saying that LTS is doing a poor job of security updates?

Because I was just noticing that CVE-2017-14062 for libidn11 (not to be confused with the more popular linidn2) fixed in 1.29-1+deb8u3 on jessie lts but not in 1.33-1 (the current version) on stretch.

So I frankly have no idea where these "concerns were raised by several of the cloud platforms people that LTS security doesn't seem to be working very well" are coming from.