[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updates in the very-old-stable

On 01/06/2013 09:08 PM, Adam Borowski wrote:
>
> It shouldn't not be some private repository in a dark corner of teh
> interwebs, it must be an official thing with a mandatory apt line during
> the installation.

I agree that would be the best thing to do, however it doesn't
seem like it's going to happen right now.

My point is to create a temporary repository to see if it's doable.
Eg: does it get enough traction so that DDs upload security fixes.
Also, that's unfortunately the only thing I can setup by myself,
without the help of some DSA people.

We can move to something more official later on.

But I'll start doing something only if I get at least few positive
reply to this thread, which I haven't yet... I don't intend to
do that all by myself.

> Too many people I otherwise respect use lenny (or etch!) on production
> network-facing servers, no matter how often I scream at them. And if
> they'll get rooted, there'll be stink about Debian's lack of security.
>
> The upgrade window is only 12 months, that's ridiculously short in many
> environments (corporate with its inertia, small setups where admins are
> starved for tuits).

Exactly !

>> It's probable that others will want to updates for apache, postfix, and
>> stuff like that as well.
> Ie, anything that is likely to be vulnerable remotely.

And also, anything that is likely to be a critical piece of software.
Like, for example I wouldn't really care about game servers...

> Thus, I propose:
> what about adding such an empty repository to wheezy's apt sources NOW?  In
> a few years, when wheezy becomes retired oldstable, there will be time to
> decide whether to use that repository or not.  Or alternatively, you could
> revive lenny-security -- this has the upside of not adding new entities, and
> a downside of announcements being not as loud as a 404.

Let's be realistic: this wont happen unless some key DDs reply
positively to this thread (DSA, FTP-Masters, security team, etc.).

Also, when the old-stable becomes obsolete, it goes to
archive.debian.org. So you do get a 404 anyway. I don't see
adding a new repository as a problem. It also forces users
to know what they are doing. We can also choose a repository
name explicitly expressing the fact it's not a full support like
it used to be with old-stable.

Thomas
Reply to: