[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Outrage at Debian dropping security for 2.1


I would like to state at the outset that I am not the
person that this Jonathan Walther replied to, but
I did read that posting and knew I would be following
it with interest.

On Thu, Sep 28, 2000 at 12:01:03PM -0700, Jonathan Walther wrote:
> If you want us to support security, perhaps you
> could propose some incentive?  We are all volunteers
> here at Debian, interested in putting out a quality
> distribution.  Your time is limited, otherwise I'm sure
> you too would love to fix and upgrade your distribution
> from source.  But our time is also limited, and we want
> the most bang for buck out of it.  That means not fighting
> the current of progress, and keeping up with new versions
> of software.
I am a Debian Developer wanna be -- currently going through the
processes.  I am also in the lucky position now of Debian being
the _only_ OS I use.  So here I can see both sides of the argument.
Developers only want to work on the *new* and exciting stuff.
Users want a stable and secure OS.

At work I upgraded to potato way to early; because I wanted 
one of the cool new features of one of the packages -- I
forget which now.  This was a mistake, I spent far to much
time updating the systems trying to get it to a stable state.

> If security updates are of concern to you, perhaps you
> could get your company to pay some Debian maintainers to
> work on the old distribution.  If you have the time,
> perhaps you would like to volunteer to do some of that
> maintainership yours.
Security issues should be of concern to everyone.  As we
spend more and more of our time one line (both at work and
at home) so the need to be secure increases.  Here in the
UK our government is making moves to make digital signatures
legally binding in a court of law.  I, therefore, can not
afford to run an OS which isn't secure.

If I had to upgrade to the latest version of unstable Debian 
to get a needed security fix that is an unacceptable 
requirement on me as a user.  Would you want to upgrade all
your machines to woody when it is in a broken state?

> The distribution we've just released is the culmination
> of 2 years of hard work for us.  Try it.  You'll like it.
> Unlike many other distributions which require a reinstall
> from scratch, Debian guarantees a reliable upgrade path.
The problem is how long to we support obsolete (slink and
before) releases?  Anyone using Debian needs to find time
when it is safe to do the upgrade.  If one is nearing the
end of an import project, now is not the time to upgrade.

We need to define a reasonable period over which we support
both the stable and the obsolete versions. This will give
our uses time to plane the change over.  Companies or large
organisations can then trial the change over and find out
what issue they may in counter.  Private or small companys
can find an appropriate time to do the change.

It would also be polite to announce when we would be cutting
support.  Users would then know when they need to act by.
Jut cutting support is a bit like putting a gun to the
users head and saying upgrade to potato now or suffer.

I believe that six months is a reasonable time frame 
for overlay support given our 2 year release cycle.

                                Steve Dobson steve.dobson@krasnegar.demon.co.uk

I either want less decadence or more chance to participate in it.

Attachment: pgp2uvfbgUfCW.pgp
Description: PGP signature

Reply to: