[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I don't understand Debian

On Fri Jun 22, 2007 at 20:24:22 +0200, ignatius wrote:

> - Why it's Debian that fixes bugs and security holes? Why it isn't upstream 
> developers? 

  Generally upstream developers *will* fix security holes, however 
 Debian users generally get their software from *us*.

  So if we're shipping software in our stable release then for a fix
 to be sent to our users we need to release it.

  (Otherwise the upstream software project might release a fixed
 release; but 99% of the package users would not notice and still
 be installing the version from our repository.)

> How can you be sure that all security holes will be found or 
> revealed?

  We cannot.

  We sometimes have some people scanning for problems and reporting
 them, but there is absolutely no promise that a program we ship
 will be free of security issues.

  Since you use Windows in your mail then I could say "How can
 Microsoft promise that their software is security-hole free?".  The
 answer is that they cannot, and neither can we.

> (for instance an old software in stable can have a security issue 
> which is not in the recent version, so upstream can't find it) Why upstream 
> developers of important softwares do not sometimes provide stable versions of 
> their programs (eg linux kernel, libc, xorg), instead of let Debian do the job 
> for them?

  You'll have to ask them.

  Some projects do release patches for old(er) versions.  Others, such
 as the Mozilla project, do not.

> I mean, with Windows? (sorry), things are sometimes more logical: the kernel, 
> "xserver, xclient", etc. (important apps) are stable for years, but you can 
> have the last firefox without update them (like a mix stable/unstable, except 
> that stable softwares are maintained by uptream, not by a distribution).

  This is tangential to security support, and security updates.
 Important windows DLLs *do* get changed for security fixes, but the
 public API doesn't change - so that the latest programs still run.
 This is the same as the Debian stable release system.

> - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant? I mean, I never 
> need to change my conf files. If I have a problem, I solve with apt-get or 
> dpkg-reconfigure. I don't understand how things works and I'm too dependent on 
> Debian.

  The problem with you being dependent upon Debian is with you, not with

> Futhermore, .deb are really complicated compare with other package 
> tools. I like for instance Frugalware philosophy: "We try to ship fresh and 
> stable software, as close to the original source as possible, because in our 
> opinion most software is the best as is, and doesn't need patching."

  They are simple and logical once you look at them.  However 99% of
 users will never need to look at the files manually.  So it doesn't

  I don't understand RPMs, but I don't need to.  I just install them
 with "yum install emacs" and it works.  The complexity is hidden from
 me and with good reason.

> Well, I don't like what is Linux today. Software developers don't care about 
> stability, are not responsible, whereas each Linux distributions re-do the same 
> jobs without cooperate. Linus should do something. It's too easy to create a 
> kernel and then let it go alone.

  Linus has no say in distributions, and most likely doesn't care.
  If you have an objection to the way things are currently working
 you need to persuade the people who make your distribution to change,
 not just say that "you don't like it".  If you do that too often
 people will, rightly, ignore you.

Debian GNU/Linux System Administration

Reply to: