Re: I don't understand Debian

To: debian-devel@lists.debian.org
Subject: Re: I don't understand Debian
From: amacater@galactic.demon.co.uk (Andrew M.A. Cater)
Date: Fri, 22 Jun 2007 22:15:12 +0000
Message-id: <[🔎] 20070622221512.GA30765@galactic.demon.co.uk>
In-reply-to: <[🔎] f5h44n$rov$2@news.tiscali.fr>
References: <[🔎] f5h44n$rov$2@news.tiscali.fr>

On Fri, Jun 22, 2007 at 08:24:22PM +0200, ignatius wrote:
> I have two questions that really concerned me.
> 
> - Why it's Debian that fixes bugs and security holes? Why it isn't 
> upstream developers? How can you be sure that all security holes will be 
> found or revealed? (for instance an old software in stable can have a 
> security issue which is not in the recent version, so upstream can't 
> find it) Why upstream developers of important softwares do not sometimes 
> provide stable versions of their programs (eg linux kernel, libc, xorg), 
> instead of let Debian do the job for them?

This is clear: _users_ of Debian find bugs and security holes. Debian 
reports these back to upstream. Sometimes, the developers are able to 
fix these and supply patches with the bug reports.

At the same time, upstream are finding their own bugs. Sometimes, if the 
bug is major, it is easier/quicker/more straightforward to move to newer 
code: sometimes it is hard to patch old code. Taking Firefox as an 
example; Firefox 2.0.* is out: there is less incentive to patch 1.5.*

This was part of the core disagreement with Mozilla over Debian 
packaging which has led to the Debian version being rebranded iceweasel.

Debian wanted to maintain an essentially unchanged stable distribution 
over the life of the distribution: Mozilla disagreed and also disagreed 
with Debian's policy to backport security fixes wherever possible.

> I mean, with Windows® (sorry), things are sometimes more logical: the 
> kernel, "xserver, xclient", etc. (important apps) are stable for years, 
> but you can have the last firefox without update them (like a mix 
> stable/unstable, except that stable softwares are maintained by uptream, 
> not by a distribution).

Watch the speed of Microsoft patches :) Watch the subtle changes in 
underlying libraries. Now add Microsoft applications on top.
Given that, for example, games require new versions of DirectX ...
the outward Windows version may appear to remain the same, but 
internally all sorts of things may be happening :)
> 

Can I save the next part, which deserves full consideration, for a 
separate reply ?

> - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant? I mean, I 
> never need to change my conf files. If I have a problem, I solve with 
> apt-get or dpkg-reconfigure. I don't understand how things works and I'm 
> too dependent on Debian. Futhermore, .deb are really complicated compare 
> with other package tools. I like for instance Frugalware philosophy: "We 
> try to ship fresh and stable software, as close to the original 
source 
> as possible, because in our opinion most software is the best as is, and 
> doesn't need patching."
> 
> Well, I don't like what is Linux today. Software developers don't care 
> about stability, are not responsible, whereas each Linux distributions 
> re-do the same jobs without cooperate. Linus should do something. It's 
> too easy to create a kernel and then let it go alone.
> 
> Sorry for my English that is very bad compare to the real Ignatius 
> Reilly's English.
> 
> ZORRO.

Reply to:

References:
- I don't understand Debian
  - From: ignatius <ignatius159@aliceadsl.fr>

Prev by Date: Re: Bug#429514: ITP: openoffice.org-ctl-he -- Turns on OO.org CTL support, and sets Hebrew as the default CTL locale
Next by Date: Re: Proposed new release goal: Dependency/file list predictability
Previous by thread: Re: I don't understand Debian
Next by thread: Re: I don't understand Debian
Index(es):
- Date
- Thread