Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote: I've been meaning to add more informative info to the security-tracker about end-of-lifed packages. Right now you can see that info in the raw tracker data, but the generate web pages don't make that clear at all. Is the raw tracker data you are talking about? http://anonscm.debian.org/viewvc/secure-testing/data/package-tags?view=co As far as I can tell users are very unlikely to notice this. The tags are exported to the Packages files in wheezy but apt doesn't do anything with that information. debsecan doesn't seem to have support for these secteam tags and also lacks integration with apt (#431804). debsecan needs more people helping with it. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6F11mpP2kn_Gn==6m4z-5d85i-qerfsbyuaevvzw-x...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
❦ 1 septembre 2013 12:04 CEST, Paul Wise p...@debian.org : http://anonscm.debian.org/viewvc/secure-testing/data/package-tags?view=co As far as I can tell users are very unlikely to notice this. The tags are exported to the Packages files in wheezy but apt doesn't do anything with that information. debsecan doesn't seem to have support for these secteam tags and also lacks integration with apt (#431804). debsecan needs more people helping with it. Or a maintainer willing to accept patches: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470065 -- Use the telephone test for readability. - The Elements of Programming Style (Kernighan Plauger) signature.asc Description: PGP signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Sun, Sep 1, 2013 at 6:04 AM, Paul Wise wrote: On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote: I've been meaning to add more informative info to the security-tracker about end-of-lifed packages. Right now you can see that info in the raw tracker data, but the generate web pages don't make that clear at all. Is the raw tracker data you are talking about? http://anonscm.debian.org/viewvc/secure-testing/data/package-tags?view=co No, the end-of-life tags in: http://anonscm.debian.org/viewvc/secure-testing/data/CVE/list?view=co As far as I can tell users are very unlikely to notice this. The tags are exported to the Packages files in wheezy but apt doesn't do anything with that information. debsecan doesn't seem to have support for these secteam tags and also lacks integration with apt (#431804). debsecan needs more people helping with it. Yes, this information really needs to be more user visible. Assistance with the security tracker is welcomed. debsecan hasn't had a maintainer upload in almost two years, so nmus fixing its open issues are quite appropriate. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MMG2pZsHbMPzFUDFo6vd5MR1L79rcwHJGTEO__R=+p...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 4:50 PM, Pau Garcia i Quiles wrote: On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery wrote: IMHO the Security Team should not act as fixers themselves but more as proxies, passing information about a security issue to the maintainer of the package. And what happens then if the maintainer doesn't respond? Then, and only then, as a last resort, the Security Team / LTS Team takes care of the problem I'm pretty sure that this is a kind of wishful thinking. History has shown that people in debian will not tolerate being told what to do. If you want an itch scratched, you simply have to scratch it yourself. If you're interested in improving debian security, please become a contributor: https://security-tracker.debian.org/tracker/data/report Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MNEMvfZ94ud=698tpxxxjt3tqupdwhw7wkdglswjmr...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 9:58 AM, Simon McVittie wrote: On 27/08/13 14:32, Pau Garcia i Quiles wrote: What do you do with the 1 year of support Debian currently gives to oldstable? It's also 1 year you stopped using that version, so no technical challenge either. There does need to be some amount of overlap, because people can't necessarily upgrade machines (particularly servers) instantaneously on release day. Even a year of overlap seems rather long, though. Right now, its sort of a stagged overlap. For example web browser security updates are no longer happening in squeeze. Users are already expected to upgrade to wheezy for web browser security support. I've been meaning to add more informative info to the security-tracker about end-of-lifed packages. Right now you can see that info in the raw tracker data, but the generate web pages don't make that clear at all. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mohhkkgu9-tv9yd8bfrf2kwchqkmfghwjl++xrfvne...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Thu, Aug 29, 2013 at 05:31:26PM +0200, Ondřej Surý wrote: So properly maintaining our stable/oldstable is a mandatory first step into being able to provide even longer support for random release we start to call the LTS. Whether we achieve that by throwing more manpower into the bunch, or splitting the archive into KEY packages (as defined in recent d-d-a email) and non-KEY packages, is different matter. So that means my question/suggestion is valid even for the non-LTS case, doesn't it? Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130830105846.ga20...@feivel.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Hi, On Tue Aug 27, 2013 at 02:11:56 +0200, Thomas Goirand wrote: On 08/26/2013 12:33 PM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. I am raising my hand here. I am willing to support the debian security team. I will be able to do that during my paid work time, as my employer, credativ, is backing this. Mid-term goal should be a Debian LTS version, but we can only achieve this by enhancing the debian security team. Cheers, Martin -- Martin Zobel-Helas Teamleiter Betrieb Tel.: +49 (2161) 4643-196 Fax: +49 (2161) 4643-100 Email: martin.zobel-he...@credativ.de pgp fingerprint 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Hohenzollernstr. 133, 41061 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer signature.asc Description: Digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Thu, Aug 29, 2013 at 11:59 AM, Martin Zobel-Helas wrote: I am raising my hand here. I am willing to support the debian security team. I will be able to do that during my paid work time, as my employer, credativ, is backing this. Mid-term goal should be a Debian LTS version, but we can only achieve this by enhancing the debian security team. For yourself and anyone else who wants to get involved: Maintaining the security tracker data is a great way to start helping with security stuff: http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co https://security-tracker.debian.org/tracker/data/report Having debsecan (or a nagios check based on it) run on debian.org and credativ machines could be an interesting way forward. This is likely to require some triage of incoming issues since many of them are only a problem under specific conditions. The security audit efforts need reviving: http://www.debian.org/security/audit/ Targets for security updates can be found in the links on the front page of the security tracker: https://security-tracker.debian.org/tracker/ Procedures for security updates are in devref of course: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security The codesearch site is useful for finding code copies, which are documented in SVN: http://codesearch.debian.net/ https://wiki.debian.org/EmbeddedCodeCopies It is also useful for finding potentially vulnerable code or the presence of specific issues. Some other stuff on the wiki: https://wiki.debian.org/Teams/Security There are some efforts for running static analysis tools over the archive, which could be useful for finding more potential security issues. http://firewoes.debian.net/ http://qa.debian.org/daca/ -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6FZFpYagfYGYYSaQ6+_AfUSB1gaQzruJ9Suc6Fqv=u...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote: On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org wrote: Anyhow, I doubt we can reasonably expect to maintain *all* packages for a longer period. How about starting with a defined list of packages that we do care about in an LTS? I would start with just the basic system and the most important server packages. Well, and how about starting to look at RFH for packages you care about right now and help with security (and SPU) updates right now, even without LTS? How about not combining two different topics? I don't see a reason why a discussion about a way to provide LTS needs to get shot with the suggestion to help with some random package instead. Of course you definitely have a point in that some/a lot of packages need work, but I think it is also reasonable to discuss a strategy for a desirable (IMO) long-term goal. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130829120849.ga28...@feivel.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Thu, Aug 29, 2013 at 2:08 PM, Michael Meskes mes...@debian.org wrote: On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote: On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org wrote: Anyhow, I doubt we can reasonably expect to maintain *all* packages for a longer period. How about starting with a defined list of packages that we do care about in an LTS? I would start with just the basic system and the most important server packages. Well, and how about starting to look at RFH for packages you care about right now and help with security (and SPU) updates right now, even without LTS? How about not combining two different topics? I don't see a reason why a discussion about a way to provide LTS needs to get shot with the suggestion to help with some random package instead. Of course you definitely have a point in that some/a lot of packages need work, but I think it is also reasonable to discuss a strategy for a desirable (IMO) long-term goal. I don't think it's a different topic. If we are unable to support our stable and oldstable distributions in proper way due lack of time/manpower/interest/... (see Holger's email), then I can't imagine we can support a LTS release that would require even more time and manpower. So properly maintaining our stable/oldstable is a mandatory first step into being able to provide even longer support for random release we start to call the LTS. Whether we achieve that by throwing more manpower into the bunch, or splitting the archive into KEY packages (as defined in recent d-d-a email) and non-KEY packages, is different matter. O. -- Ondřej Surý ond...@sury.org Have you tried Knot DNS – https://www.knot-dns.cz/ – a high-performance authoritative-only DNS server
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/27/2013 06:53 AM, Pau Garcia i Quiles wrote: stable. Having a team of people like Mike, Michael, Gustavo, me, etc to take care of EVERY package is plain impossible, especially if we want 5 years i didn't say EVERY package i say the packages we care about we simply don't have the manpower to do it, neither the interest -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521fa5a2.5070...@zumbi.com.ar
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Ma, 27 aug 13, 10:18:53, Russ Allbery wrote: Alternately, we could be far more aggressive about removing packages from oldstable, I suppose, but I don't think that's a good idea; that just leaves our users with exactly the sorts of choices that we're trying to avoid. I think it's much cleaner and better for our users to offer full security support and then retire the whole distribution at the same time. It makes planning considerably easier, among other things. Why not add something like this to the DSA: Unfortunately due to lack of resources there will be no updated packages for oldstable. For contributing a fix yourself contact the Debian LTS Team. Maybe even not include it in the DSA, but a special new adivsory, since DSAs have a lot of boilerplate and people may not be actually reading them. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): Le 27 août 2013 19:32, Ian Jackson ijack...@chiark.greenend.org.uk a écrit : Worse: in practice, removing packages is invisible to the users and their package manager. The `removed' packages just remain, vulnerable, on the users' systems. Why not un this case creating an empty package depending of an non existing package ? Because we should leave the user the choice to keep using the unsupported software, rather than ripping it out from under them. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21021.54443.549428.950...@chiark.greenend.org.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Ian Jackson writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): Why not un this case creating an empty package depending of an non existing package ? Because we should leave the user the choice to keep using the unsupported software, rather than ripping it out from under them. Oh, wait, I don't think I read your proposal correctly. I'm not sure exactly what effect this would have but, presumably, mostly a complaint from the package manager ? Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21021.54576.467036.418...@chiark.greenend.org.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: I don't really understand it myself as server packages and their dependencies tend to be stable and I tend to want the latest versions of dovecot, unbound etc.. However perhaps there is a divide here between servers which want longer support for few packages and desktops which want stable but secure yet as featureful as is sensible desktops. I think you have a very valid point here. I kind of doubt many people would like to run on a five year old desktop. Anyhow, I doubt we can reasonably expect to maintain *all* packages for a longer period. How about starting with a defined list of packages that we do care about in an LTS? I would start with just the basic system and the most important server packages. I wonder whether it makes sense to align our LTS with others, let's say Ubuntu, to reduce the workload for both sides? Finally what do we do with packages that are no longer supported by upstream? Do we essantially take over or do we restrict updates for as long as upstream provides fixes? Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130828142908.ga12...@feivel.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org wrote: On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: I don't really understand it myself as server packages and their dependencies tend to be stable and I tend to want the latest versions of dovecot, unbound etc.. However perhaps there is a divide here between servers which want longer support for few packages and desktops which want stable but secure yet as featureful as is sensible desktops. I think you have a very valid point here. I kind of doubt many people would like to run on a five year old desktop. Anyhow, I doubt we can reasonably expect to maintain *all* packages for a longer period. How about starting with a defined list of packages that we do care about in an LTS? I would start with just the basic system and the most important server packages. Well, and how about starting to look at RFH for packages you care about right now and help with security (and SPU) updates right now, even without LTS? O. -- Ondřej Surý ond...@sury.org Have you tried Knot DNS – https://www.knot-dns.cz/ – a high-performance authoritative-only DNS server
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Wed, Aug 28, 2013 at 04:29:08PM +0200, Michael Meskes wrote: On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: I don't really understand it myself as server packages and their dependencies tend to be stable and I tend to want the latest versions of dovecot, unbound etc.. However perhaps there is a divide here between servers which want longer support for few packages and desktops which want stable but secure yet as featureful as is sensible desktops. I think you have a very valid point here. I kind of doubt many people would like to run on a five year old desktop. Stats seem to disagree: http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=11qpcustomb=0 Neil -- signature.asc Description: Digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Wed, Aug 28, 2013 at 4:55 PM, Neil McGovern ne...@debian.org wrote: I think you have a very valid point here. I kind of doubt many people would like to run on a five year old desktop. Stats seem to disagree: http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=11qpcustomb=0 Five year old desktop doesn't matter as long as you can install recent applications. That's not a problem on Windows or Mac, and it's not a problem on Linux (or any other Unix) either thanks to RPATH/RUNPATH with $ORIGIN . -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Wed, Aug 28, 2013 at 12:47 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Ian Jackson writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): Why not un this case creating an empty package depending of an non existing package ? Because we should leave the user the choice to keep using the unsupported software, rather than ripping it out from under them. Oh, wait, I don't think I read your proposal correctly. I'm not sure exactly what effect this would have but, presumably, mostly a complaint from the package manager ? Exactly refuse to upgrade install security. Supose that a package badpackage is not supported by LTS. LTS teams release a new version of package (arch-all): Package: badpackage Depends: ltsnotsupported, ${misc:Depends} Architecture: all Section: ltsnotsuported Description: This package is not supported any more by LTS team This package is not supported any more by LTS team. . This package is not carry a SECURITY RISK and was removed from debian LTS. . THIS PACKAGE WAS INSECURE LTS REMOVED. . This package is not instalable any more and thus upgrade will fail. . If you care about this package please join the LTS team or backport security fix. . If you accept the security risk you should add pinning see http://www.debian.org/ltssecuritypinning. . Alternatly you could remove the reverse depends of this package, but you should be warmed that some system functionnality may be removed see http://www.debian.org/ltssecurityremoverdepends. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAE2SPAauqH3KOKDEdVHhzxT1Pt_cNk=36hkpasp3qzbbzj8...@mail.gmail.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 02:11:56AM +0200, Thomas Goirand wrote: Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. Raising my hand here ... Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130827085613.ga10...@feivel.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org wrote: Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. Raising my hand here ... One more hand. But I'd like to stress we need *all* developers to be involved fix bugs (esp. security) in their packages in all the supported releases, not only in current-stable. Having a team of people like Mike, Michael, Gustavo, me, etc to take care of EVERY package is plain impossible, especially if we want 5 years support for the *whole* archive (IMHO Ubuntu did a smart move in regards to support when it split the archive in main/universe/multiverse and decided to support only main). -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote: But I'd like to stress we need *all* developers to be involved fix bugs (esp. security) in their packages in all the supported releases, not only in current-stable. I am afraid I am not on board for this. I do not agree with requiring me to support old software for years and years after I've stopped using it. It is not something that interests me as a technical challenge; instead the task is tedious and boring. If you think this extra couple of years of support is something you want to work on, that's fine. Please don't think it is a goal everyone else in Debian agrees with, or is willing to work on. -- http://www.cafepress.com/trunktees -- geeky funny T-shirts http://gtdfh.branchable.com/ -- GTD for hackers -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130827100346.ga6...@mavolio.codethink.co.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, 2013-08-27 at 11:53 +0200, Pau Garcia i Quiles wrote: On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org wrote: Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. Raising my hand here ... One more hand. But I'd like to stress we need *all* developers to be involved fix bugs (esp. security) in their packages in all the supported releases, not only in current-stable. [...] The challenge was: who is willing to do the work. Your answer is: me, but only everyone else helps. That doesn't answer the challenge at all. It's hard enough to get maintainers to fix bugs in current stable (backporting can be difficult, and some just don't care), let alone another 3 years of LTS. Ben. -- Ben Hutchings All extremists should be taken out and shot. signature.asc Description: This is a digitally signed message part
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote: The challenge was: who is willing to do the work. Your answer is: me, but only everyone else helps. That doesn't answer the challenge at all. It's hard enough to get maintainers to fix bugs in current stable (backporting can be difficult, and some just don't care), let alone another 3 years of LTS. Indeed. Look at the security team for example. In theory, if all maintainers cared enough about the older packages, we woudn't need the level of people we currently do. So, if you want to see a longer support period, then *first* you should join the teams who support the stable releases, and encourage others to do the same. Neil signature.asc Description: Digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote: The challenge was: who is willing to do the work. Your answer is: me, but only everyone else helps. That doesn't answer the challenge at all. Agreed. It's hard enough to get maintainers to fix bugs in current stable (backporting can be difficult, and some just don't care), let alone another 3 years of LTS. Which brings up the interesting question how it works for stable now. How often do bigs get fixed by the security team and how often by maintainers themselves? How much work is this for the security team? Yes, I know, the older the software gets, the more difficult it is to backport patches, if at all possible. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130827122809.ga20...@feivel.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 2:09 PM, Neil McGovern n...@halon.org.uk wrote: Indeed. Look at the security team for example. In theory, if all maintainers cared enough about the older packages, we woudn't need the level of people we currently do. IMHO the Security Team should not act as fixers themselves but more as proxies, passing information about a security issue to the maintainer of the package. Maintainers are not always fully aware some old version of their package is affected by a security issue. OTOH, the Security Team is continually monitoring CVEs, etc. Or at least, that's how I'd like the Security Team to work. It would alleviate the burden on them and move the bugfixing/security fixing to the people who know the package better and are probably in touch with upstream. -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/27/2013 11:53 AM, Pau Garcia i Quiles wrote: On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org mailto:mes...@debian.org wrote: Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. Raising my hand here ... One more hand. Cool, thanks. So, we are now 4, I think that's good enough to plan on doing something. But I'd like to stress we need *all* developers to be involved fix bugs (esp. security) in their packages in all the supported releases, not only in current-stable. Having a team of people like Mike, Michael, Gustavo, me, etc to take care of EVERY package is plain impossible, especially if we want 5 years support for the *whole* archive That's not my plan. My plan is to do as much as we can for the packages we care about. For example, I need security updates for bind9, apache2, postfix and such. I'm not interested at all in doing any Desktop software maintenance (my laptop is using at least Stable, and sometimes testing (when close to a release)). (IMHO Ubuntu did a smart move in regards to support when it split the archive in main/universe/multiverse and decided to support only main). I don't see any smartness when declaring that things are community maintained (eg: the work is done in Debian, and sync if we ask...). It's just that they decided not to take responsibility for part of the archive. What we could do, would be to track what needs to be patched and what has already been fixed. If our users have a clear list of what is maintained or not, then that's enough to me. On 08/27/2013 12:03 PM, Lars Wirzenius wrote: I am afraid I am not on board for this. I do not agree with requiring me to support old software for years and years after I've stopped using it. I don't think anyone wants to *require* this from anyone. At least that's not my plan. It is not something that interests me as a technical challenge; instead the task is tedious and boring. I agree, it's boring and not interesting. Though I need it for my company online services, and so does a lot of people. My idea is just to gather workforces of those who do it privately (like some already reported in this thread) and put that in a single (trusted) repository, then see how it goes. If it gains traction after Squeeze is EOL, then we can push the idea further and make it more official, after Wheezy is EOL. Cheers, Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521caa35.6010...@debian.org
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 12:03 PM, Lars Wirzenius l...@liw.fi wrote: On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote: But I'd like to stress we need *all* developers to be involved fix bugs (esp. security) in their packages in all the supported releases, not only in current-stable. I am afraid I am not on board for this. I do not agree with requiring me to support old software for years and years after I've stopped using it. It is not something that interests me as a technical challenge; instead the task is tedious and boring. (I don't want this to sound rude or smartass but genuinely interested because I'm surprised more DDs think like you, as I discovered in the DreamHost thread) What do you do with the 1 year of support Debian currently gives to oldstable? It's also 1 year you stopped using that version, so no technical challenge either. -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/27/2013 12:41 PM, Ben Hutchings wrote: It's hard enough to get maintainers to fix bugs in current stable (backporting can be difficult, and some just don't care), let alone another 3 years of LTS. Ben. I agree with what you wrote above Ben. Though that is not in a direct relation with what we can do for packages we care about (I already gave a small list of very important packages for me). Also, what one has to do currently to get packages updated in stable is demotivating (don't get me wrong: I do understand why we have things like they are in Stable, though one got to be blind to not see the demotivating side of it). I don't intend to implement such administrative overhead for updating this very-old-stable security repository. If we are only a small group of volunteer working on it, it will be easier to implement as well. Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521cabed.5080...@debian.org
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/27/2013 02:28 PM, Michael Meskes wrote: Which brings up the interesting question how it works for stable now. How often do bigs get fixed by the security team and how often by maintainers themselves? How much work is this for the security team? Yes, I know, the older the software gets, the more difficult it is to backport patches, if at all possible. Michael I too, would like to know these stats. Thomas P.S: Before this thread, I thought updates were always updated by maintainers, and not by the security team. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521cacb4.8090...@debian.org
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 27/08/13 14:32, Pau Garcia i Quiles wrote: What do you do with the 1 year of support Debian currently gives to oldstable? It's also 1 year you stopped using that version, so no technical challenge either. There does need to be some amount of overlap, because people can't necessarily upgrade machines (particularly servers) instantaneously on release day. Even a year of overlap seems rather long, though. When there are serious bugs in my packages, I backport fixes to stable, then weigh up the benefit of also backporting to oldstable vs. the time I expect it to take and the risk of regressions. For things that didn't merit a DSA (e.g. DoS via a remotely-triggerable NULL dereference in desktop software), my conclusion has often been the risk of regressions is too close to the expected benefit, I'm not going to bother. After all, if I accidentally introduce a crash bug, that's a DoS that applies to everyone, not just people whose IM contacts were actively trying to exploit a vulnerability. Sorting out security vulnerabilities is something I do because I feel responsible for packages, rather than something I do because it's fun - doubly so for oldstable, where a diminishing number of people actually care about the vulnerability. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521cb06b.2050...@debian.org
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Pau Garcia i Quiles pgqui...@elpauer.org writes: IMHO the Security Team should not act as fixers themselves but more as proxies, passing information about a security issue to the maintainer of the package. And what happens then if the maintainer doesn't respond? If we're going to offer meaningful security support, we have to have a bug-fixer of last resort, and that's the party most stressed by extending security support. Particularly since that for every year we extend it, more maintainers will be uninterested in doing so for their own packages. Alternately, we could be far more aggressive about removing packages from oldstable, I suppose, but I don't think that's a good idea; that just leaves our users with exactly the sorts of choices that we're trying to avoid. I think it's much cleaner and better for our users to offer full security support and then retire the whole distribution at the same time. It makes planning considerably easier, among other things. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ppszjblu@windlord.stanford.edu
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Russ Allbery writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): If we're going to offer meaningful security support, we have to have a bug-fixer of last resort, and that's the party most stressed by extending security support. Particularly since that for every year we extend it, more maintainers will be uninterested in doing so for their own packages. This is for the the key point. In practice fairly few maintainers are going to be willing to put in extra effort for longer support - and particularly not in the cases where this is most difficult. So any proposal to do an LTS involves almost all of the extra security effort falling on the LTS security team. That we don't have an LTS security team composed of people willing to shoulder that burden is the reason we don't have an LTS. Statements that maintainers should help out are not encouraging. If it turns out that there are people who _do_ want to do that work, with a minimum of concrete help from maintainers, then of course that is to be encouraged. Alternately, we could be far more aggressive about removing packages from oldstable, I suppose, but I don't think that's a good idea; that just leaves our users with exactly the sorts of choices that we're trying to avoid. I think it's much cleaner and better for our users to offer full security support and then retire the whole distribution at the same time. It makes planning considerably easier, among other things. Worse: in practice, removing packages is invisible to the users and their package manager. The `removed' packages just remain, vulnerable, on the users' systems. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21020.58018.931259.723...@chiark.greenend.org.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Alternately, we could be far more aggressive about removing packages from oldstable, I suppose, but I don't think that's a good idea; that just leaves our users with exactly the sorts of choices that we're trying to avoid. I think it's much cleaner and better for our users to offer full security support and then retire the whole distribution at the same time. It makes planning considerably easier, among other things. I don't really understand it myself as server packages and their dependencies tend to be stable and I tend to want the latest versions of dovecot, unbound etc.. However perhaps there is a divide here between servers which want longer support for few packages and desktops which want stable but secure yet as featureful as is sensible desktops. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52116.2947...@smtp149.mail.ir2.yahoo.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Le 27 août 2013 19:32, Ian Jackson ijack...@chiark.greenend.org.uk a écrit : Russ Allbery writes (Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)): If we're going to offer meaningful security support, we have to have a bug-fixer of last resort, and that's the party most stressed by extending security support. Particularly since that for every year we extend it, more maintainers will be uninterested in doing so for their own packages. This is for the the key point. In practice fairly few maintainers are going to be willing to put in extra effort for longer support - and particularly not in the cases where this is most difficult. So any proposal to do an LTS involves almost all of the extra security effort falling on the LTS security team. That we don't have an LTS security team composed of people willing to shoulder that burden is the reason we don't have an LTS. Statements that maintainers should help out are not encouraging. If it turns out that there are people who _do_ want to do that work, with a minimum of concrete help from maintainers, then of course that is to be encouraged. Alternately, we could be far more aggressive about removing packages from oldstable, I suppose, but I don't think that's a good idea; that just leaves our users with exactly the sorts of choices that we're trying to avoid. I think it's much cleaner and better for our users to offer full security support and then retire the whole distribution at the same time. It makes planning considerably easier, among other things. Worse: in practice, removing packages is invisible to the users and their package manager. The `removed' packages just remain, vulnerable, on the users' systems. Why not un this case creating an empty package depending of an non existing package ? Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21020.58018.931259.723...@chiark.greenend.org.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery r...@debian.org wrote: IMHO the Security Team should not act as fixers themselves but more as proxies, passing information about a security issue to the maintainer of the package. And what happens then if the maintainer doesn't respond? Then, and only then, as a last resort, the Security Team / LTS Team takes care of the problem -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Michael Meskes mes...@debian.org schrieb: Which brings up the interesting question how it works for stable now. How often do bigs get fixed by the security team and how often by maintainers themselves? No hard numbers, but I'd suppose half and half (i.e. cases, where the maintainer prepared the update, which of course still needs to be reviewed/tested by the person releasing it). Cheers, Moirtz -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl1q87r.596@inutil.org
Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Hi Charles, On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: Altogether, it is a lot of work, but if we have enough people for doing it, think that it would be very positive for us. /me raises his hand for giving his work for longer maintainance of former Debian stable releases. For customer sites 2.5yrs + 1yr stable/oldstable does not suffice. Regards, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgp3d52nUu7hL.pgp Description: Digitale PGP-Unterschrift
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Hi All, On 08/26/2013 09:31 AM, Mike Gabriel wrote: Hi Charles, On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: Altogether, it is a lot of work, but if we have enough people for doing it, think that it would be very positive for us. /me raises his hand for giving his work for longer maintainance of former Debian stable releases. For customer sites 2.5yrs + 1yr stable/oldstable does not suffice. Me too. I think we should match the five years Ubuntu LTS offers for at least part of the packages like Ubuntu does with main/universe [1] distinction. Cheers, Balint [1] https://help.ubuntu.com/community/Repositories signature.asc Description: OpenPGP digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Mon, Aug 26, 2013 at 11:14:25AM +0200, Balint Reczey wrote: Hi All, On 08/26/2013 09:31 AM, Mike Gabriel wrote: Hi Charles, On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: Altogether, it is a lot of work, but if we have enough people for doing it, think that it would be very positive for us. /me raises his hand for giving his work for longer maintainance of former Debian stable releases. For customer sites 2.5yrs + 1yr stable/oldstable does not suffice. Me too. I think we should match the five years Ubuntu LTS offers for at least part of the packages like Ubuntu does with main/universe [1] distinction. I'm hoping that these raising of hands are also offers to help do the work to make it happen. Neil -- signature.asc Description: Digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/26/2013 07:33 AM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. i offer help, we are interested on longer maintenance for some packages. i think we should start to coordinate, if is anybody else willing to help with the work maybe l...@lists.debian.org? if is not possible i can host a mailing list thanks -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521b5166.80...@zumbi.com.ar
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
gustavo panizzo gfa schrieb am Monday, den 26. August 2013: On 08/26/2013 07:33 AM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. i offer help, we are interested on longer maintenance for some packages. i think we should start to coordinate, if is anybody else willing to help with the work maybe l...@lists.debian.org? if is not possible i can host a mailing list If there is really interest, a list on l.d.o wouldn't be a problem. Just follow http://www.debian.org/MailingLists/HOWTO_start_list.en.html and get a few seconders for the new list. Alex - with his Listmaster hat on -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130826132854.gc21...@hawking.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 26/08/13 at 10:00 -0300, gustavo panizzo gfa wrote: On 08/26/2013 07:33 AM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. i offer help, we are interested on longer maintenance for some packages. i think we should start to coordinate, if is anybody else willing to help with the work maybe l...@lists.debian.org? if is not possible i can host a mailing list Hi, Long-term support of stable releases was one of the reasons for the debian-companies@ initiative. I'm Ccing Michael Meskes, who is interested in coordinating this initiative. Lucas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130826133040.ga1...@xanadu.blop.info
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Lucas Nussbaum schrieb am Monday, den 26. August 2013: On 26/08/13 at 10:00 -0300, gustavo panizzo gfa wrote: On 08/26/2013 07:33 AM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. i offer help, we are interested on longer maintenance for some packages. i think we should start to coordinate, if is anybody else willing to help with the work maybe l...@lists.debian.org? if is not possible i can host a mailing list Hi, Long-term support of stable releases was one of the reasons for the debian-companies@ initiative. I'm Ccing Michael Meskes, who is interested in coordinating this initiative. JFTR Coordination of LTS support should not go through a closed list. Alex -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130826141100.gd21...@hawking.credativ.lan
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Long-term support of stable releases was one of the reasons for the debian-companies@ initiative. I'm Ccing Michael Meskes, who is interested in coordinating this initiative. JFTR Coordination of LTS support should not go through a closed list. And I don't think anyone suggested that. The debian-companies list is closed so that the companies can discuss where they want to go before going public with it. LTS is certainly something companies can and should help with, but more importantly something involving Debian as a whole. So this discussion should be public. Michael P.S.: Expect an email about the debian-companies initiative in the next couple days. -- Dr. Michael Meskes, Geschäftsführer/CEO Tel.: +49 (0)2161 / 46 43 0 E-Mail: michael.mes...@credativ.com IM: m...@jabber.credativ.com credativ international GmbH, HRB Moenchengladbach 15543, Hohenzollernstr. 133, 41061 Moenchengladbach, Germany Geschaeftsfuehrung: Dr. Michael Meskes, Joerg Folz = Global: http://credativ.com Canada: http://credativ.ca Germany: http://credativ.de India: http://credativ.in UK: http://credativ.co.uk USA: http://credativ.us = -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521b65e9.8030...@credativ.com
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Mon, Aug 26, 2013 at 09:31:06AM +0200, Mike Gabriel wrote: Hi Charles, On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: Altogether, it is a lot of work, but if we have enough people for doing it, think that it would be very positive for us. /me raises his hand for giving his work for longer maintainance of former Debian stable releases. For customer sites 2.5yrs + 1yr stable/oldstable does not suffice. Regards, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb Depends: it's quite feasible to move between Debian stable releases without a problem. That gives you 2 years + a year to switch over + 2 years + a year - then your hardware's five year lifecycle is up and you're throwing it away. Red Hat Enterprise Linux will give you 10 years fully supported - but relatively little software and you end up having to use EPEL / Repoforge / RPMForge all unsupported repositories just to get software that's there out of the box in Debian. Ubuntu LTS - five years support but presumes nothing changes and you then find huge problems moving to the next LTS because the intervening releases have disappeared ... Debian's not so bad at all - especially considering that it's an all volunteer organisation: it's certainly stable enough to use anywhere for any purpose. AndyC -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130826181428.ga4...@galactic.demon.co.uk
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 26.08.2013 20:14, Andrew M.A. Cater wrote: Ubuntu LTS - five years support but presumes nothing changes and you then find huge problems moving to the next LTS because the intervening releases have disappeared ... You don't need the intervening releases, Ubuntu recommends doing LTS-LTS upgrades. e.g. 10.04 - 12.04 14.04. signature.asc Description: OpenPGP digital signature
Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 08/26/2013 12:33 PM, Neil McGovern wrote: I'm hoping that these raising of hands are also offers to help do the work to make it happen. Neil Which is why there's only a single person that replied to my workflow proposal ... to criticize my idea to do it on a separate infrastructure, but giving no idea how to solve the pb. Guys, if you want it to happen, raise your hands *now* like Gustavo did. Otherwise, please everyone: let this thread die and never raise the topic again in this list. Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521beecc.9060...@debian.org