On Fri Jun 22, 2007 at 20:24:22 +0200, ignatius wrote: > - Why it's Debian that fixes bugs and security holes? Why it isn't upstream > developers?
Generally upstream developers *will* fix security holes, however Debian users generally get their software from *us*. So if we're shipping software in our stable release then for a fix to be sent to our users we need to release it. (Otherwise the upstream software project might release a fixed release; but 99% of the package users would not notice and still be installing the version from our repository.) > How can you be sure that all security holes will be found or > revealed? We cannot. We sometimes have some people scanning for problems and reporting them, but there is absolutely no promise that a program we ship will be free of security issues. Since you use Windows in your mail then I could say "How can Microsoft promise that their software is security-hole free?". The answer is that they cannot, and neither can we. > (for instance an old software in stable can have a security issue > which is not in the recent version, so upstream can't find it) Why upstream > developers of important softwares do not sometimes provide stable versions of > their programs (eg linux kernel, libc, xorg), instead of let Debian do the > job > for them? You'll have to ask them. Some projects do release patches for old(er) versions. Others, such as the Mozilla project, do not. > I mean, with Windows? (sorry), things are sometimes more logical: the kernel, > "xserver, xclient", etc. (important apps) are stable for years, but you can > have the last firefox without update them (like a mix stable/unstable, except > that stable softwares are maintained by uptream, not by a distribution). This is tangential to security support, and security updates. Important windows DLLs *do* get changed for security fixes, but the public API doesn't change - so that the latest programs still run. This is the same as the Debian stable release system. > - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant? I mean, I never > need to change my conf files. If I have a problem, I solve with apt-get or > dpkg-reconfigure. I don't understand how things works and I'm too dependent > on > Debian. The problem with you being dependent upon Debian is with you, not with Debian. > Futhermore, .deb are really complicated compare with other package > tools. I like for instance Frugalware philosophy: "We try to ship fresh and > stable software, as close to the original source as possible, because in our > opinion most software is the best as is, and doesn't need patching." They are simple and logical once you look at them. However 99% of users will never need to look at the files manually. So it doesn't matter. I don't understand RPMs, but I don't need to. I just install them with "yum install emacs" and it works. The complexity is hidden from me and with good reason. > Well, I don't like what is Linux today. Software developers don't care about > stability, are not responsible, whereas each Linux distributions re-do the > same > jobs without cooperate. Linus should do something. It's too easy to create a > kernel and then let it go alone. Linus has no say in distributions, and most likely doesn't care. If you have an objection to the way things are currently working you need to persuade the people who make your distribution to change, not just say that "you don't like it". If you do that too often people will, rightly, ignore you. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
