[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updates in the very-old-stable

On Sun, Jan 06, 2013 at 01:54:34PM +0800, Thomas Goirand wrote:
> I agree on all what you said (eg: difficulties in doing such a maintenance,
> the fact we don't have unlimited manpower, etc.), but I'm still convince it
> would be worth a try.
> On 01/06/2013 04:39 AM, Neil Williams wrote:
> > It's not about prohibiting updates, it's that most maintainers don't
> > have time to support deprecated versions.
> How about allowing anyone to work on any package in very-old-stable?
> This might work at least for a few key packages, which some
> users badly need. For example, I'd like to provide backports
> for bind if it has a major hole.

I disagree.

It shouldn't not be some private repository in a dark corner of teh
interwebs, it must be an official thing with a mandatory apt line during
the installation.

Too many people I otherwise respect use lenny (or etch!) on production
network-facing servers, no matter how often I scream at them.  And if
they'll get rooted, there'll be stink about Debian's lack of security.

The upgrade window is only 12 months, that's ridiculously short in many
environments (corporate with its inertia, small setups where admins are
starved for tuits).

> It's probable that others will want to updates for apache, postfix, and
> stuff like that as well.

Ie, anything that is likely to be vulnerable remotely.

> Anyone maintaining a large amount of servers will see value
> in this (eg: better than nothing).

I'd say admins with just one or two servers are more vulnerable, as they
won't know about the issue in the first place.

> The idea isn't to keep quality as high as we have for stable
> or old-stable. The idea isn't to keep the same maintenance
> rules either. It's about allowing what can be done to happen.

It's impossible to maintain several tens of thousands of packages with the
usual level of quality, yes.  Doing that for several tens of packages can
be done for a decade or two.

Thus, I propose:
what about adding such an empty repository to wheezy's apt sources NOW?  In
a few years, when wheezy becomes retired oldstable, there will be time to
decide whether to use that repository or not.  Or alternatively, you could
revive lenny-security -- this has the upside of not adding new entities, and
a downside of announcements being not as loud as a 404.

How to squander your resources: those silly Swedes have a sauce named
"hovmästarsås", the best thing ever to put on cheese, yet they waste it
solely on mere salmon.

Reply to: