On 2010-01-22, Thiemo Nagel <thiemo.na...@ph.tum.de> wrote:
> Dear Michael,
>
> Michael Gilbert wrote:
>> it already seems hard enough with the current level of manpower to
>> support two releases at the same time let alone three. it may be
>> doable, but the security team would need more volunteers (particularly
>> those interested in doing the work to keep oldstable supported).
>
> I found this posting on testing-security-announce which seems to
> indicate that security support for squeeze is not going to start soon:
>
> http://lists.debian.org/debian-testing-security-announce/2010/01/msg00000.html
>
> However if that is the case, I wonder if oldstable support could be
> extended for some more time.
>
> I know that all the work is done by volunteers and I'm very grateful for
> what they do. Still I think that especially in the sector of
> institutional use, the popularity of Debian could be improved by
> offering longer support cycles. I don't think Debian should go as far
> as Microsoft does (10 years of support for Windows 2000), but 5 years of
> support in my opinion would be more suited to the typical upgrade [*]
> cycles in large organisations. [**]
We're already supporting more packages than any other distribution (all
other distributions offering long support cycles only cover a subset
of packages, this includes SLES, RHEL and Ubuntu) and we won't be able
to extend this further with volunteer resources.
The Security Team has discussed and stated before: If large institutions
want a longer support cycle for oldstable they should colloborate to fund
this externally. Supporting oldstable releases for two more years (i.e.
approx five years altogether and thus with the option to "skip" a release)
should be doable for a single person full time since most of the grunt
work (tracking, triaging and analysing issues, supporting the through the
life time of stable plus one year, etc.) is done by the existing Security
Team.
I.e. if anyone wants to see this happen, he'd need to organise this
through some kind of umbrella organisation, find a proper candidate to
do the work and sign-up 10-20 institutions commiting to fund 5%-10% of the
costs.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
