Re: Dreamhost dumps Debian
Excerpts from Russ Allbery's message of 2013-08-19 13:50:36 -0700:
> Clint Byrum <firstname.lastname@example.org> writes:
> > Most places as large and tech-savvy as Dreamhost are happy to maintain
> > something at the core of their business like a webserver
> > (i.e. nginx). It is glibc, gcc, sshd, the kernel, bash, etc., that they
> > don't want to have to think about.
> > The 2 year cadence has left users with very little time to actually
> > capitalize on their investment when upgrading. If one has 10 apps to
> > test and roll out on the new stable, and each app takes 1 month to get
> > there, and one starts immediately on release day, one now has 14 months
> > to recoup that time investment before one must start again. The only
> > real answer that makes sense is to continuously deploy on unstable, but
> > then you will suffer when a massive breaking transition begins.
> > Those 5 year cycles just give users more cushion.
> Not that it helps with our marketing posture here, but my experience in
> seeing what people actually *do* with Ubuntu LTS is that they run it for
> five years with exactly the software that shipped with it. They do *not*
> maintain their own versions of non-core software that has had security
> problems. Rather, they just blindly assume that LTS having security
> support for five years means that, as long as they regularly upgrade, they
> don't have to worry about security.
> They therefore end up running various non-core software with open security
Indeed, that is consistent with the anecdotal evidence I have for Ubuntu
as well. Most of mine comes from triaging bugs and answering questions
for Ubuntu users.
However for a high-tech business in the same class as Dreamhost, even core
components of the OS come under scrutiny when they affect the bottom line.
> This is mostly neither here nor there, since we're not Ubuntu and can't
> change anything about their model. However, as a Debian Developer, I
> would be extremely uncomfortable about having tiers of security support
> for our packages were we to try to duplicate something like LTS. I
> believe the actual effect on the users (unintended though it may be) is to
> deceive them into thinking they have security support when they don't.
> Debian currently provides security support for the whole archive as best
> as we can for the life of our stable release, and I don't think we should
> relax that standard to increase the lifetime of stable.
It is misleading and many users fall into the trap. However, those who
care enough to read their manuals and/or contact either Canonical or
another Ubuntu developer before building their entire business on top
of it usually understand the difference.
I am not suggesting any changes to Debian. I hope that I can bring some
perspective to the discussion, nothing more.