[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dreamhost dumps Debian

Clint Byrum <spamaps@debian.org> writes:

> Most places as large and tech-savvy as Dreamhost are happy to maintain
> something at the core of their business like a webserver
> (i.e. nginx). It is glibc, gcc, sshd, the kernel, bash, etc., that they
> don't want to have to think about.

> The 2 year cadence has left users with very little time to actually
> capitalize on their investment when upgrading. If one has 10 apps to
> test and roll out on the new stable, and each app takes 1 month to get
> there, and one starts immediately on release day, one now has 14 months
> to recoup that time investment before one must start again. The only
> real answer that makes sense is to continuously deploy on unstable, but
> then you will suffer when a massive breaking transition begins.

> Those 5 year cycles just give users more cushion.

Not that it helps with our marketing posture here, but my experience in
seeing what people actually *do* with Ubuntu LTS is that they run it for
five years with exactly the software that shipped with it.  They do *not*
maintain their own versions of non-core software that has had security
problems.  Rather, they just blindly assume that LTS having security
support for five years means that, as long as they regularly upgrade, they
don't have to worry about security.

They therefore end up running various non-core software with open security

This is mostly neither here nor there, since we're not Ubuntu and can't
change anything about their model.  However, as a Debian Developer, I
would be extremely uncomfortable about having tiers of security support
for our packages were we to try to duplicate something like LTS.  I
believe the actual effect on the users (unintended though it may be) is to
deceive them into thinking they have security support when they don't.
Debian currently provides security support for the whole archive as best
as we can for the life of our stable release, and I don't think we should
relax that standard to increase the lifetime of stable.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: