Re: Is oldstable security support duration something to be proud of?

To: Török Edwin <edwintorok@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Is oldstable security support duration something to be proud of?
From: Filipus Klutiero <chealer@gmail.com>
Date: Mon, 10 Mar 2008 18:52:44 -0400
Message-id: <[🔎] 200803101852.44205.chealer@gmail.com>
In-reply-to: <[🔎] 47D5A0F4.7020606@gmail.com>
References: <[🔎] 200803101436.46270.chealer@gmail.com> <[🔎] 200803101613.43628.chealer@gmail.com> <[🔎] 47D5A0F4.7020606@gmail.com>

Le March 10, 2008 04:58:28 pm Török Edwin, vous avez écrit :
> Filipus Klutiero wrote:
> > free distros if you want. Let's take these 3 which are not too far from
> > Debian's quality:
> > RHEL and derivatives: 7 years
>
> Rather than using a  7 year old product with security updates, you can
> use a newer stable release [*].
> For Debian when security support ends, there is a new stable release
> available for at least a year.
> Upgrading from oldstable to stable is supported. During that year you
> had plenty of time to test upgrading from "oldstable" to the new
> "stable" release.
>
> IMHO if there is a new stable release available for a reasonable time (1
> year is more than reasonable), then having longer security support for
> an old release doesn't
> add to a distribution's quality.
It does add a bit, for these ~1% users that didn't upgrade yet.
> The Debian security team should definitely be proud for doing a good job!
>
> [*] Also the old product can have vulnerabilities that do not affect the
> latest stable,  (for example portions of code got rewritten to be more
> robust),
> and thus the old product won't get security updates. But are you safer
> using the old product?
No. My point is not that users shouldn't upgrade or that Debian releases 
should be supported for longer. I'm just pointing that it's 
useless/misleading to state the project is proud of the security support 
duration.

> No, because if somebody writes an exploit for it (the old product) you
> are not protected; however if you are using a newer stable release, you
> wouldn't be affected by it at all.
>
> There are other factors to consider, like length of security support
> from upstream for old releases.
>
> > Debian is somewhat better than openSUSE, equal or slightly worst than
> > Ubuntu and definitely worst than RHEL and derivatives. So on average,
> > Debian is somewhat worst than its main alternatives in this aspect. IMO
> > one shouldn't show off unless being at least a bit above average.
>
> IHMO you can't judge a distribution's quality based on the length of
> security support alone.
Of course...note the "in this aspect". All we are/should be discussing here is 
the security support duration of oldstable, not Debian's quality. If I didn't 
think that Debian was the best, I wouldn't use it nor bother reporting its 
bugs.

Reply to:

Follow-Ups:
- Re: Is oldstable security support duration something to be proud of?
  - From: "s. keeling" <keeling@nucleus.com>

References:
- Is oldstable security support duration something to be proud of?
  - From: Filipus Klutiero <chealer@gmail.com>
- Re: Is oldstable security support duration something to be proud of?
  - From: Filipus Klutiero <chealer@gmail.com>
- Re: Is oldstable security support duration something to be proud of?
  - From: Török Edwin <edwintorok@gmail.com>

Prev by Date: Re: Is oldstable security support duration something to be proud of?
Next by Date: Re: Re: Is oldstable security support duration something to be proud of?
Previous by thread: Re: Is oldstable security support duration something to be proud of?
Next by thread: Re: Is oldstable security support duration something to be proud of?
Index(es):
- Date
- Thread