On Fri, 2018-06-08 at 10:11 +0800, Paul Wise wrote: > In my experience the Wordpress upstream auto-upgrade system is > typically faster than the Debian's handling of Wordpress. I didn't realise Wordpress had an auto-upgrade system. That put's in the same league as the Browsers like Chrome and Firefox. I'm impressed. However, it's not the same service that Debian offers. Wordpress has an auto upgrade system to the new version. Debian has auto application of security patches to an existing system. To see the difference, try googling "Wordpress upgrade breaks". Or look at the howls of anguish on this list directed up the upcoming Firefox ESR update for stable. Both are examples of what happens when you update to the latest version rather than just applying security patches. The ultimate measure is the number of systems a person can maintain using one system over the other. For the Debian way of doing things there really isn't a limit, or more accurately other limits (like hardware failures, and dealing with network and power outages) will hit you first. In Wordpress's case there is a background rate of plugin and theme breakage which will eventually overwhelm you. The difference between the two is pretty obvious to the person paying the bills. I suspect that is the real reason Debian, a project that has no income to speak of, somehow manages to have all the infrastructure it does - 60TB servers for snapshots, a mirror network and CDN, LWN subscriptions, free venues for its conferences and I suspect lots other things. I don't know of another open source project that gets even remotely close to this level of support. It would be downright peculiar, if it weren't for the fact that the value of the service Debian provides can be judged by RedHat's turnover, which is about $3 Billion/year. For the firms throwing the occasional piece of chump change Debian's way it must look like the bargain of the century. > I also get the impression that the number of CVEs (let alone all > security issues) is scaling faster than the amount of folks in Debian > who are handling them. Is there some public proxy measure for this? For example, the number of outstanding CVE's, or average days it takes for a CVE to get fixed?
Description: This is a digitally signed message part