Re: Is oldstable security support duration something to be proud of?
Filipus Klutiero wrote:
> free distros if you want. Let's take these 3 which are not too far from
> Debian's quality:
> RHEL and derivatives: 7 years
Rather than using a 7 year old product with security updates, you can
use a newer stable release [*].
For Debian when security support ends, there is a new stable release
available for at least a year.
Upgrading from oldstable to stable is supported. During that year you
had plenty of time to test upgrading from "oldstable" to the new
"stable" release.
IMHO if there is a new stable release available for a reasonable time (1
year is more than reasonable), then having longer security support for
an old release doesn't
add to a distribution's quality.
The Debian security team should definitely be proud for doing a good job!
[*] Also the old product can have vulnerabilities that do not affect the
latest stable, (for example portions of code got rewritten to be more
robust),
and thus the old product won't get security updates. But are you safer
using the old product?
No, because if somebody writes an exploit for it (the old product) you
are not protected; however if you are using a newer stable release, you
wouldn't be affected by it at all.
There are other factors to consider, like length of security support
from upstream for old releases.
> Debian is somewhat better than openSUSE, equal or slightly worst than Ubuntu
> and definitely worst than RHEL and derivatives. So on average, Debian is
> somewhat worst than its main alternatives in this aspect. IMO one shouldn't
> show off unless being at least a bit above average.
>
IHMO you can't judge a distribution's quality based on the length of
security support alone.
Also consider that having equal amounts of resources having less stable
releases to support means you get better support.
[during 7 years you need to support multiple versions]
Best regards,
--Edwin
[IANADD]
Reply to: