Re: join us!
%% Kurt Seifried <seifried@securityportal.com> writes:
ks> One question: where is it explicitly stated that Debian backports
ks> fixes and that one needs to read /usr/doc/*/changelog?
I'll answer this on two levels:
First, if you're writing an article on a subject for publication it
behooves you to find this information, even if it's not explicitly
stated. In other words, if you think to yourself "hey, that's strange,
this system seems to be shipping old, security-problem-ridden code!"
(which you basically said you thought in your article) then you should
try to find out if that's really true. One excellent way to do that is
by posting one simple message to this mailing list.
If this had been done, you could have blasted Debian for documentation
issues, while still performing a valuable service by educating people,
via your article, on how Debian handles security updates :).
Second, you are absolutely, 100% correct that there is a serious lack of
coherent documentation in these areas when it comes to Debian. There
are a lot of things one is just kind of expected to "know"; or at least
I haven't found anyplace that brings them all together. Some other
examples from just the last week or so: information on Debian runlevel
handling, and information on how Debian expects to share devices (group
permissions for /dev/sound, etc.)
The Debian Guide is great for newbies but doesn't have much information
for experienced users.
Manuals for newbies are very important, of course, but Debian really
needs either an appendix or another document that provides this more
detailed, distro-specific information. Some kind of "Introduction to
Debian for UNIX Admins". I think Debian has many more experienced
UNIX/Linux people migrating to it than other distros, and so this kind
of "migration guide" is more important to Debian.
Please don't mark this as criticism per se: I maintain a manual too and
I know how hard it is. I hope this is taken as encouragement for more
people to spend some time on this.
IMHO, FAQ-O-Matic is a _very cool_ tool and that should definitely be
revived and expanded, but a more "manual-like" document that could be
shipped with Debian would be even better. Maybe even something in the
install that asked if you want to read it...
ks> I spoke to several friends, comp sci, one with a degree in
ks> software engineering, and they all agree this is a horrible way to
ks> do things (the software engineer went so far as to say "a little
ks> piece of me dies everytime someon does something like that").
Uhm. Can you provide more details about exactly what they're objecting
to?
Backporting specific fixes to earlier releases is not only not "a
horrible way to do things", but is absolutely de rigueur in the
industry. You can't afford to put the entire set of potentially very
destabilizing changes into a current or almost-current product!
Instead, you extract the most important fixes and port them back into
the stable release so people can get the benefits of that specific fix,
in a stable environment.
Most everybody does this. Even the Linux kernel, for example. Many of
the packages which have security fixes announced on CERT, etc. provide
patches for older releases in addition to saying that the latest release
has fixed the problem.
I just don't understand your friends' revulsion.
--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@gnu.org> Find some GNU make tips at:
http://www.gnu.org http://www.paulandlesley.org/gmake/
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
Reply to:
- References:
- Re: join us!
- From: "Kurt Seifried" <seifried@securityportal.com>