Bug#468765: Is oldstable security support duration something to be proud of?
On Mon, Mar 10, 2008 at 04:13:43PM -0400, Filipus Klutiero wrote:
> Le March 10, 2008 02:56:15 pm Luk Claes, vous avez ?crit?:
> > Filipus Klutiero wrote:
> > > Hi,
> > > I reported #468765 about a questionable statement on www.debian.org.
> > > Frank Lichtenheld wants this to be discussed.
> > >
> > > This statement is in a security announcement. Martin Schulze confirmed
> > > that he wrote the statement. Does the security team think that oldstable
> > > security support duration is something to be proud of?
> > >
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468765
> > Why would anyone question if a security support of at *least* 2,5 years
> > by volunteers not be something to be proud of?
> The sentence does not talk about volunteers. Even if it did, I wouldn't be
> less proud of my contributions to Debian if I was paid for them. And from the
> readers POV, I don't appreciate Debian more because developers are mostly
> I already compared the duration of oldstable support in the bug report, but
> let's look at the total security support duration of each release of other
> free distros if you want. Let's take these 3 which are not too far from
> Debian's quality:
> RHEL and derivatives: 7 years
> openSUSE: 2 years
> Ubuntu: a bit more complex.
> 1.5 in general
> LTS releases: 3 on desktop, 5 on server
> Debian is somewhat better than openSUSE, equal or slightly worst than Ubuntu
> and definitely worst than RHEL and derivatives. So on average, Debian is
> somewhat worst than its main alternatives in this aspect.
How about in # of packages we support? Does that bump us up at all in
your pissing contest? There are many characteristics of security
support (breadth, turnaround, stability, etc) - and different
characteristics appeal to different users. We don't have to be proud
that our N isn't as long as someone else's N, but we can certainly be
proud to have honored the commitment we made to our users.
Using # of years of support as a measurement of "goodness" is as silly
as using # of advisories as a measurement of an OS's "secureness".