Re: Dreamhost dumps Debian

To: debian-devel@lists.debian.org
Subject: Re: Dreamhost dumps Debian
From: Russ Allbery <rra@debian.org>
Date: Mon, 19 Aug 2013 13:50:36 -0700
Message-id: <[🔎] 871u5pmmlf.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 1376942753-sup-2696@fewbar.com> (Clint Byrum's message of "Mon, 19 Aug 2013 13:19:12 -0700")
References: <[🔎] 87wqnhpkn3.fsf@jidanni.org> <[🔎] m338q5lbk6.fsf@neo.luffy.cx> <[🔎] 1376942753-sup-2696@fewbar.com>

Clint Byrum <spamaps@debian.org> writes:

> Most places as large and tech-savvy as Dreamhost are happy to maintain
> something at the core of their business like a webserver
> (i.e. nginx). It is glibc, gcc, sshd, the kernel, bash, etc., that they
> don't want to have to think about.

> The 2 year cadence has left users with very little time to actually
> capitalize on their investment when upgrading. If one has 10 apps to
> test and roll out on the new stable, and each app takes 1 month to get
> there, and one starts immediately on release day, one now has 14 months
> to recoup that time investment before one must start again. The only
> real answer that makes sense is to continuously deploy on unstable, but
> then you will suffer when a massive breaking transition begins.

> Those 5 year cycles just give users more cushion.

Not that it helps with our marketing posture here, but my experience in
seeing what people actually *do* with Ubuntu LTS is that they run it for
five years with exactly the software that shipped with it.  They do *not*
maintain their own versions of non-core software that has had security
problems.  Rather, they just blindly assume that LTS having security
support for five years means that, as long as they regularly upgrade, they
don't have to worry about security.

They therefore end up running various non-core software with open security
vulnerabilities.

This is mostly neither here nor there, since we're not Ubuntu and can't
change anything about their model.  However, as a Debian Developer, I
would be extremely uncomfortable about having tiers of security support
for our packages were we to try to duplicate something like LTS.  I
believe the actual effect on the users (unintended though it may be) is to
deceive them into thinking they have security support when they don't.
Debian currently provides security support for the whole archive as best
as we can for the life of our stable release, and I don't think we should
relax that standard to increase the lifetime of stable.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Dreamhost dumps Debian
  - From: Clint Byrum <clint@fewbar.com>
- Re: Dreamhost dumps Debian
  - From: Paul Wise <pabs@debian.org>

References:
- Dreamhost dumps Debian
  - From: jidanni@jidanni.org
- Re: Dreamhost dumps Debian
  - From: Vincent Bernat <bernat@debian.org>
- Re: Dreamhost dumps Debian
  - From: Clint Byrum <spamaps@debian.org>

Prev by Date: Re: Dreamhost dumps Debian
Next by Date: Re: Dreamhost dumps Debian
Previous by thread: Re: Dreamhost dumps Debian
Next by thread: Re: Dreamhost dumps Debian
Index(es):
- Date
- Thread