Re: join us!

To: Kurt Seifried <seifried@securityportal.com>
Cc: Dave Sherohman <esper@sherohman.org>, johno@cruithne.org, debian-user@lists.debian.org
Subject: Re: join us!
From: Ben Collins <bcollins@debian.org>
Date: Thu, 31 Aug 2000 12:12:02 -0400
Message-id: <20000831121202.F28800@visi.net>
In-reply-to: <008501c01365$133a8200$6900030a@seifried.org>; from seifried@securityportal.com on Thu, Aug 31, 2000 at 10:03:59AM -0600
References: <E13UWaD-0002FF-00@pchan> <008501c01365$133a8200$6900030a@seifried.org>

On Thu, Aug 31, 2000 at 10:03:59AM -0600, Kurt Seifried wrote:
> > Personally, when I see "1.2.0pre10-4", I think, "This is not the same as
> the
> > original/base 1.2.0pre10."  Depending on how the numbering is implemented,
> it
> > has been updated 3 or 4 times since the original 1.2.0pre10.  So I would
> not
> > expect it to have the same bugs.
> 
> So did you fix the root hack in pre10, the DOS in rc1, or the typo in the
> install script? Oh yeah, I gotta read the changelog to find out,
> wheep.Making major changes to software (plugging root hacks counts I
> think....) and not modifying the software revision (ok, the Debian package
> number is revised, but that means nothing unless you read the changelog) is
> just a bad idea. Also when the main change in a software package is bug
> fixes and not feature additions I think it might be sane to upate the
> package, As for Apache, 1.3.12 has been out 6+ months, freezing software and
> using a version much older doesn't make much sense to me (and let's face it,
> some software packages, like Apache, do an extremely good QA job and
> generally don't ship broken stuff, OTOH big billy bobs irc client version
> .34 is another story).

Regarless of how good of a QA job they do, it doesn't mean squat when you
have to assure compability for 6 supported architectures. Taking new
versions to fix security problems, along with all the code changes, in
this fashion, is a management nightmare. There is no way to get out a
timely and stable fixed package using this method. There's no way to test
things enough. So you use the current *known good with one exception*
version, and fix it instead. This way you can sleep at night and retain
your sanity.

> > > As for the "code freeze", well the code is NOT frozen if Debian is
> > > backporting changes into it, Apache 1.3.9 as shipped by Debian for
> example
> > > is more like a 1.3.9 sortof 10/11/12 but not really. While the argument
> "we
> > > are not adding new features" can be used, the fact of the matter is that
> > > Debian is making (in some cases significant) changes to code that
> changes
> > > behaviour (like fixing root hacks, cross site scripting vulnerability,
> > > whatever).
> >
> > Would you be more comfortable if it were called a "feature freeze"?
> 
> Yup. And for gods sake, document it somehwere that you need to read the
> changelogs. I've actually gotten several emails from smart Linux people
> (i.e. people that also write/manage online Linux related publications) going
> "hey, that's news to me too". I am not going to sit down and read /usr/doc/*
> just on a whim, neither are most users or even people trying to do a review
> (i.e. I wouldn't mind seeing you guys writing a review of say TurboLinux =).

I'de like to see you coordinate 6 architectural builds of some fairly
large packages and ensure stability, and compability for each one, just to
get a security update out. After all, we are talking about fixing the
bugs, not "ooh, we have a reason to get version 1.0-foo into stable now!"

You are right, users cannot be expected to read the changelogs all the
time. However, there is no easier way to dessiminate this information
other than a) security announcements, and b) changelogs, readily available
with the packages.

You, as a journalist, yes, we can expect you to read this, or alteast
contact some real Debian folks (security@debian.org maybe?) before making
assumptions. Obviously no one can write a review of an operationg system
without knowledge of that system, or without further investigation into
that OS's structure and inner-workings.

Remember, Debian is volunteers, so you wont get a big corporate marketing
department spilling off "oh we are great, we have <insert buzz word here>"
and so on. You'll get very intelligent, and yes, sometimes harsh folks,
who do nothing but work on this all day long, and know what they are
talking about. They will give you straight answers, and most of them time,
when you speak intelligently yourself, and show an interest, rather than
negativity, they are even open to suggestions.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

References:
- Re: join us!
  - From: Dave Sherohman <esper@sherohman.org>
- Re: join us!
  - From: "Kurt Seifried" <seifried@securityportal.com>

Prev by Date: IRC proxying
Next by Date: Re: filtering out ads
Previous by thread: Re: join us!
Next by thread: Re: join us!
Index(es):
- Date
- Thread