[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Outrage at Debian dropping security for 2.1

On Fri, Sep 29, 2000 at 02:06:37PM -0700, Shane Wegner wrote:
> That said, I don't see a problem with maintaining
> major security upgrades for the previous release.  E.G. not
> Debian <= 2.0.

You may not see a problem with it, but are you willing to do the work?
Most of the work involved in dealing with a security alert becomes
harder for older distributions:

  - figuring out if the version we released is vulnerable.

  - backporting the patch, if any.  (Sometimes it's "upgrade to
    version foo", which brings its own problems.)

  - finding machines (of several architectures!) on which to compile
    and test the fixed packages, and keeping them pure.

And at the same time, the number of people interested in doing this
work and maintaining infrastructure for it drops, because the older
a release the fewer people will still use it.  This drop is pretty
sharp with Debian because upgrading is so easy and releases are

Richard Braakman

Reply to: