Excerpts from Russ Allbery's message of 2013-08-19 13:50:36 -0700: > Clint Byrum <spam...@debian.org> writes: > > > Most places as large and tech-savvy as Dreamhost are happy to maintain > > something at the core of their business like a webserver > > (i.e. nginx). It is glibc, gcc, sshd, the kernel, bash, etc., that they > > don't want to have to think about. > > > The 2 year cadence has left users with very little time to actually > > capitalize on their investment when upgrading. If one has 10 apps to > > test and roll out on the new stable, and each app takes 1 month to get > > there, and one starts immediately on release day, one now has 14 months > > to recoup that time investment before one must start again. The only > > real answer that makes sense is to continuously deploy on unstable, but > > then you will suffer when a massive breaking transition begins. > > > Those 5 year cycles just give users more cushion. > > Not that it helps with our marketing posture here, but my experience in > seeing what people actually *do* with Ubuntu LTS is that they run it for > five years with exactly the software that shipped with it. They do *not* > maintain their own versions of non-core software that has had security > problems. Rather, they just blindly assume that LTS having security > support for five years means that, as long as they regularly upgrade, they > don't have to worry about security. > > They therefore end up running various non-core software with open security > vulnerabilities. >
Indeed, that is consistent with the anecdotal evidence I have for Ubuntu as well. Most of mine comes from triaging bugs and answering questions for Ubuntu users. However for a high-tech business in the same class as Dreamhost, even core components of the OS come under scrutiny when they affect the bottom line. > This is mostly neither here nor there, since we're not Ubuntu and can't > change anything about their model. However, as a Debian Developer, I > would be extremely uncomfortable about having tiers of security support > for our packages were we to try to duplicate something like LTS. I > believe the actual effect on the users (unintended though it may be) is to > deceive them into thinking they have security support when they don't. > Debian currently provides security support for the whole archive as best > as we can for the life of our stable release, and I don't think we should > relax that standard to increase the lifetime of stable. > It is misleading and many users fall into the trap. However, those who care enough to read their manuals and/or contact either Canonical or another Ubuntu developer before building their entire business on top of it usually understand the difference. I am not suggesting any changes to Debian. I hope that I can bring some perspective to the discussion, nothing more. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1376947589-sup-5...@fewbar.com
