On Wed, Aug 05, 2009 at 03:48:06PM +0100, Mark Shuttleworth wrote: > >> If upstream knows, for example, that MANY distributions will be > >> shipping a particular version of their code and supporting it for > >> several years (in fact, if they can sit down with those distributions > >> and make suggestions as to which version would be best!) then they > >> are more likely to be able to justify doing point releases with > >> security fixes for that version... which in turn makes it easier for > >> the security teams and maintainers in the distribution. > >> > > > > In practice, most upstreams adopt a "you're using a version that's two > > weeks old, go update to our current development snapshot and see > > yourself whether the bug is still there" attitude. > > > That's true. To upstream there is "tip" (which all real developers run, > right? ;-)) and then there's "the cloud of released versions which > distributions are still shipping". It's hard to get their attention > about the particular version that any one distribution is shipping, but > I think it's reasonable to believe it would be easier to get their > attention about a version that *many* distributions adopted.
Additionally, even if upstream isn't willing to provide any help to distros shipping what they consider to be a "stale" version, the distros are in a better position to help each other if they're shipping similar versions. We see this sort of cooperation _all the time_ in the security community via the vendor-sec mailing list. Patches for a given problem may be proposed by a representative from one distro, reviewed by members of several others, finally used by even more. This may all happen with or without help from upstream. Either way, it's easier for everybody involved if people are using similar versions. I suspect we'd see a lot more help from upstream developers if they knew they only had to come up with a fix for a given problem once, rather than for several different versions. We benefit either way, though. noah
signature.asc
Description: Digital signature
