Re: Dreamhost dumps Debian

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Dreamhost dumps Debian
From: Clint Byrum <clint@fewbar.com>
Date: Mon, 19 Aug 2013 14:31:50 -0700
Message-id: <[🔎] 1376947589-sup-5663@fewbar.com>
In-reply-to: <[🔎] 871u5pmmlf.fsf@windlord.stanford.edu>
References: <[🔎] 87wqnhpkn3.fsf@jidanni.org> <[🔎] m338q5lbk6.fsf@neo.luffy.cx> <[🔎] 1376942753-sup-2696@fewbar.com> <[🔎] 871u5pmmlf.fsf@windlord.stanford.edu>

Excerpts from Russ Allbery's message of 2013-08-19 13:50:36 -0700:
> Clint Byrum <spamaps@debian.org> writes:
> 
> > Most places as large and tech-savvy as Dreamhost are happy to maintain
> > something at the core of their business like a webserver
> > (i.e. nginx). It is glibc, gcc, sshd, the kernel, bash, etc., that they
> > don't want to have to think about.
> 
> > The 2 year cadence has left users with very little time to actually
> > capitalize on their investment when upgrading. If one has 10 apps to
> > test and roll out on the new stable, and each app takes 1 month to get
> > there, and one starts immediately on release day, one now has 14 months
> > to recoup that time investment before one must start again. The only
> > real answer that makes sense is to continuously deploy on unstable, but
> > then you will suffer when a massive breaking transition begins.
> 
> > Those 5 year cycles just give users more cushion.
> 
> Not that it helps with our marketing posture here, but my experience in
> seeing what people actually *do* with Ubuntu LTS is that they run it for
> five years with exactly the software that shipped with it.  They do *not*
> maintain their own versions of non-core software that has had security
> problems.  Rather, they just blindly assume that LTS having security
> support for five years means that, as long as they regularly upgrade, they
> don't have to worry about security.
> 
> They therefore end up running various non-core software with open security
> vulnerabilities.
> 

Indeed, that is consistent with the anecdotal evidence I have for Ubuntu
as well. Most of mine comes from triaging bugs and answering questions
for Ubuntu users.

However for a high-tech business in the same class as Dreamhost, even core
components of the OS come under scrutiny when they affect the bottom line.

> This is mostly neither here nor there, since we're not Ubuntu and can't
> change anything about their model.  However, as a Debian Developer, I
> would be extremely uncomfortable about having tiers of security support
> for our packages were we to try to duplicate something like LTS.  I
> believe the actual effect on the users (unintended though it may be) is to
> deceive them into thinking they have security support when they don't.
> Debian currently provides security support for the whole archive as best
> as we can for the life of our stable release, and I don't think we should
> relax that standard to increase the lifetime of stable.
> 

It is misleading and many users fall into the trap. However, those who
care enough to read their manuals and/or contact either Canonical or
another Ubuntu developer before building their entire business on top
of it usually understand the difference.

I am not suggesting any changes to Debian. I hope that I can bring some
perspective to the discussion, nothing more.

Reply to:

References:
- Dreamhost dumps Debian
  - From: jidanni@jidanni.org
- Re: Dreamhost dumps Debian
  - From: Vincent Bernat <bernat@debian.org>
- Re: Dreamhost dumps Debian
  - From: Clint Byrum <spamaps@debian.org>
- Re: Dreamhost dumps Debian
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Dreamhost dumps Debian
Next by Date: Re: Dreamhost dumps Debian
Previous by thread: Re: Dreamhost dumps Debian
Next by thread: Re: Dreamhost dumps Debian
Index(es):
- Date
- Thread