Re: I don't understand Debian
On Fri, Jun 22, 2007 at 08:24:22PM +0200, ignatius wrote:
> I have two questions that really concerned me.
> - Why it's Debian that fixes bugs and security holes?
There are lots of differences between:
upstream and Debian release goals
upstream and Debian build environment (debian has 10+ archs vs upstream's
1 -- in most cases)
upstream and Debian package goals
bugs introduced when upstreams package is introduced into Debian's
distro of 16,000+ packages.
Debian's bug fixes introduces their own bugs (regular and security)
These are true for any distro, not just Debian.
> Why it isn't
> upstream developers? How can you be sure that all security holes will be
> found or revealed?
No one can. So we rely on programer skill, user testing, QA testing and
other things to finding and fixing bugs. This is true for all distros
and upstreams. Thus there is no perfect software. Of course, some folks
hide bugs and close the source, this makes things seem better sometimes.
> (for instance an old software in stable can have a
> security issue which is not in the recent version, so upstream can't
> find it) Why upstream developers of important softwares do not sometimes
> provide stable versions of their programs (eg linux kernel, libc, xorg),
> instead of let Debian do the job for them?
Debian has security support for a limited time for all its stable
distro. Also, there is the backporting of security fixes. And there are
(still unofficial) backports.org that has newer software made for stable
> I mean, with Windows® (sorry), things are sometimes more logical: the
> kernel, "xserver, xclient", etc. (important apps) are stable for years,
> but you can have the last firefox without update them (like a mix
> stable/unstable, except that stable softwares are maintained by uptream,
> not by a distribution).
This is currenly done (more or less) by backports.org (or other similar
> - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant?
Debian strives for this and may folks seem to think it does it well.
> I mean, I never need to change my conf files. If I have a problem, I
> solve with apt-get or dpkg-reconfigure. I don't understand how things
> works and I'm too dependent on Debian. Futhermore, .deb are really
> complicated compare with other package tools.
the deb format is derived from the 'ar' packaging tool that is on every
UN*X system. That is not very complicated. Further more, all Debian
related files are conviently in one directory (/debian), so as to easily
differentiate it from the upstream source.
> I like for instance
> Frugalware philosophy: "We try to ship fresh and stable software, as
> close to the original source as possible, because in our opinion most
> software is the best as is, and doesn't need patching."
That sounds more like Gentoo and its ebuilds. Debian distributes binary
> Well, I don't like what is Linux today. Software developers don't care
> about stability, are not responsible, whereas each Linux distributions
> re-do the same jobs without cooperate. Linus should do something. It's
> too easy to create a kernel and then let it go alone.
Its true that some areas could use better co-operation and many distros
don't communicated with upstream enough (where possible) to get their
changes upstream (where possible). But we do try.
> Sorry for my English that is very bad compare to the real Ignatius
> Reilly's English.
Most folks write english well enough to communicate their ideas and most
readers try to compensate for any lacking when they read their ideas.
So I think most folks understood what you wrote.
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|