[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Russ Allbery writes ("Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)"):
> If we're going to offer meaningful security support, we have to have a
> bug-fixer of last resort, and that's the party most stressed by extending
> security support.  Particularly since that for every year we extend it,
> more maintainers will be uninterested in doing so for their own packages.

This is for the the key point.  In practice fairly few maintainers are
going to be willing to put in extra effort for longer support - and
particularly not in the cases where this is most difficult.

So any proposal to do an LTS involves almost all of the extra security
effort falling on the LTS security team.  That we don't have an LTS
security team composed of people willing to shoulder that burden is
the reason we don't have an LTS.  Statements that "maintainers should
help out" are not encouraging.

If it turns out that there are people who _do_ want to do that work,
with a minimum of concrete help from maintainers, then of course that
is to be encouraged.

> Alternately, we could be far more aggressive about removing packages from
> oldstable, I suppose, but I don't think that's a good idea; that just
> leaves our users with exactly the sorts of choices that we're trying to
> avoid.  I think it's much cleaner and better for our users to offer full
> security support and then retire the whole distribution at the same time.
> It makes planning considerably easier, among other things.

Worse: in practice, removing packages is invisible to the users and
their package manager.  The `removed' packages just remain,
vulnerable, on the users' systems.


Reply to: