Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Sun, Sep 1, 2013 at 6:04 AM, Paul Wise wrote: > On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote: > >> I've been meaning to add more informative info to the security-tracker >> about end-of-lifed packages. Right now you can see that info in the >> raw tracker data, but the generate web pa

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

❦ 1 septembre 2013 12:04 CEST, Paul Wise  : > http://anonscm.debian.org/viewvc/secure-testing/data/package-tags?view=co > > As far as I can tell users are very unlikely to notice this. The tags > are exported to the Packages files in wheezy but apt doesn't do > anything with that information. de

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote: > I've been meaning to add more informative info to the security-tracker > about end-of-lifed packages. Right now you can see that info in the > raw tracker data, but the generate web pages don't make that clear at > all. Is the raw tracker

Re: Dreamhost dumps Debian

> "Upgrading is easy" is not really a valid retort. Though it does mitigate > the cost, it does not eliminate it. Nobody wants to spend their automation > budget on making upgrading easy enough to do on a whim. There are plenty > of other concerns that automation must address that have nothing to d

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 9:58 AM, Simon McVittie wrote: > On 27/08/13 14:32, Pau Garcia i Quiles wrote: >> What do you do with the 1 year of support Debian currently gives to >> oldstable? It's also 1 year you stopped using that version, so no >> technical challenge either. > > There does need to be

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 4:50 PM, Pau Garcia i Quiles wrote: > On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery wrote: > >> > IMHO the Security Team should not act as fixers themselves but more as >> > proxies, passing information about a security issue to the maintainer of >> > the package. >> >> And

Re: Dreamhost dumps Debian

Excerpts from Kevin Chadwick's message of 2013-08-30 10:28:51 -0700: > > I wasn't clear, I don't mean you'll do each one as a special snowflake > > in-place. I mean, 20,000 machines is simply a lot of machines to > > manage. No matter what, upgrading or replacing the OS all within a 1 > > year sch

Re: Dreamhost dumps Debian

> I wasn't clear, I don't mean you'll do each one as a special snowflake > in-place. I mean, 20,000 machines is simply a lot of machines to > manage. No matter what, upgrading or replacing the OS all within a 1 > year schedule that you do not control and cannot fully predict, is a > big hassle. W

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Thu, Aug 29, 2013 at 05:31:26PM +0200, Ondřej Surý wrote: > So properly maintaining our stable/oldstable is a mandatory first step into > being > able to provide even longer support for random release we start to call the > LTS. > > Whether we achieve that by throwing more manpower into the bun

Re: Dreamhost dumps Debian

Clint Byrum writes: > Dreamhost is a hosting company. It actually is quite possible that all > 20,000 machines mentioned are unique snowflakes in this case. Though it > is probably more likely that there at most 10,000 unique machines, with > some customers having only one, but others having 3 or

Re: Dreamhost dumps Debian

Excerpts from Russ Allbery's message of 2013-08-27 13:47:01 -0700: > Clint Byrum writes: > > > Perhaps you missed the blog post [1] details? > > > "About ten months ago, we realized that the next installation of Debian > > was upcoming, and after upgrading about 20,000 machines since Debian 6 >

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/27/2013 06:53 AM, Pau Garcia i Quiles wrote: > > stable. Having a team of people like Mike, Michael, Gustavo, me, etc > to take care of EVERY package is plain impossible, especially if we > want 5 years i didn't say EVERY package i say the packages we care about we simply don't have the manp

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Thu, Aug 29, 2013 at 2:08 PM, Michael Meskes wrote: > On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote: > > On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes > wrote: > > > Anyhow, I doubt we can reasonably expect to maintain *all* packages > for a > > > longer > > > period. How abou

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote: > On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes wrote: > > Anyhow, I doubt we can reasonably expect to maintain *all* packages for a > > longer > > period. How about starting with a defined list of packages that we do care > > about in

Update policies for security bugs [Was, Re: Dreamhost dumps Debian]

Steve Langasek writes ("Update policies for security bugs [Was, Re: Dreamhost dumps Debian]"): > I don't think this is incompatible with my contention that updates for > security bugs should be driven by the security team. If we think a security > fix should not be pushe

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Thu, Aug 29, 2013 at 11:59 AM, Martin Zobel-Helas wrote: > I am raising my hand here. I am willing to support the debian security > team. I will be able to do that during my paid work time, as my > employer, credativ, is backing this. > > Mid-term goal should be a Debian LTS version, but we can

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Hi, On Tue Aug 27, 2013 at 02:11:56 +0200, Thomas Goirand wrote: > On 08/26/2013 12:33 PM, Neil McGovern wrote: > > I'm hoping that these raising of hands are also offers to help do the > > work to make it happen. > > > Guys, if you want it to happen, raise your hands *now* like Gustavo did. > O

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Wed, Aug 28, 2013 at 12:47 PM, Ian Jackson wrote: > Ian Jackson writes ("Re: Longer maintainance for (former) stable releases of > Debian (Re: Dreamhost dumps Debian)"): >> Bastien ROUCARIES writes ("Re: Longer maintainance for (former) stable >> releas

Re: Dreamhost dumps Debian

On 2013-08-28 10:42, Ian Jackson wrote: As Peter Palfrader points out stable-updates allows more review, because it doesn't suffer from the process problems caused by the need for secrecy. stable-updates are also made in less of a hurry. Iff people actually test proposed-updates. The feedback

Update policies for security bugs [Was, Re: Dreamhost dumps Debian]

On Wed, Aug 28, 2013 at 11:42:05AM +0100, Ian Jackson wrote: > Steve Langasek writes ("Re: Dreamhost dumps Debian"): > > To me, being redirected to stable-updates constitutes a refusal/denial by > > the security team to use the security updates channel. Again, if it'

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Wed, Aug 28, 2013 at 4:55 PM, Neil McGovern wrote: > I think you have a very valid point here. I kind of doubt many people > would > > like to run on a five year old desktop. > > > > Stats seem to disagree: > > http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=11&qpcusto

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Wed, Aug 28, 2013 at 04:29:08PM +0200, Michael Meskes wrote: > On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: > > I don't really understand it myself as server packages and their > > dependencies tend to be stable and I tend to want the latest versions of > > dovecot, unbound et

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes wrote: > On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: > > I don't really understand it myself as server packages and their > > dependencies tend to be stable and I tend to want the latest versions of > > dovecot, unbound etc.. > >

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote: > I don't really understand it myself as server packages and their > dependencies tend to be stable and I tend to want the latest versions of > dovecot, unbound etc.. > > However perhaps there is a divide here between servers which wa

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Ian Jackson writes ("Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)"): > Bastien ROUCARIES writes ("Re: Longer maintainance for (former) stable > releases of Debian (Re: Dreamhost dumps Debian)"): > > Why not un thi

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Bastien ROUCARIES writes ("Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)"): > Le 27 août 2013 19:32, "Ian Jackson" a > écrit : > > Worse: in practice, removing packages is invisible to the users and > > their pa

Re: Dreamhost dumps Debian

Steve Langasek writes ("Re: Dreamhost dumps Debian"): > To me, being redirected to stable-updates constitutes a refusal/denial by > the security team to use the security updates channel. Again, if it's a > security issue that's not important enough to be an officia

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Ma, 27 aug 13, 10:18:53, Russ Allbery wrote: > > Alternately, we could be far more aggressive about removing packages from > oldstable, I suppose, but I don't think that's a good idea; that just > leaves our users with exactly the sorts of choices that we're trying to > avoid. I think it's muc

Re: Dreamhost dumps Debian

On Tue, 27 Aug 2013, Steve Langasek wrote: > Well, I don't think that's a very good policy. I don't see why, if the bug > is worth fixing in a stable release for security reasons, it should go > through the stable-updates channel instead of the security channel. Going via stable-updates allows f

Re: Dreamhost dumps Debian

On Tue, Aug 27, 2013 at 11:51:40PM +0200, Moritz Mühlenhoff wrote: > Steve Langasek schrieb: > > I understand the > > motivation (like everyone else they have more to do than they have time to > > do it in), but I think the outcome, whereby the security team denies use of > > the security update c

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Michael Meskes schrieb: > Which brings up the interesting question how it works for stable now. How > often > do bigs get fixed by the security team and how often by maintainers > themselves? No hard numbers, but I'd suppose half and half (i.e. cases, where the maintainer prepared the update, w

Re: Dreamhost dumps Debian

Steve Langasek schrieb: > I understand the > motivation (like everyone else they have more to do than they have time to > do it in), but I think the outcome, whereby the security team denies use of > the security update channel for non-"critical" security bugs and redirects > maintainers to stable

Re: Dreamhost dumps Debian

Russ Allbery schrieb: > Pau Garcia i Quiles writes: >> On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery wrote: > >>> My experience is that I can just barely manage to convince upstreams to >>> look over my backports of security patches to packages in oldstable > >> What makes you think Ubuntu, Red

Re: Dreamhost dumps Debian

Excerpts from Kevin Chadwick's message of 2013-08-27 11:45:34 -0700: > > > Large hosting companies not having made their scripts etc. good enough > > > to ride out upgrades well should have nothing to do with any decision. > > > > I don't think the problem here is with "Large hosting companies n

Re: Dreamhost dumps Debian

Clint Byrum writes: > Perhaps you missed the blog post [1] details? > "About ten months ago, we realized that the next installation of Debian > was upcoming, and after upgrading about 20,000 machines since Debian 6 > (aka Squeeze) was released, we got pretty tired." > Even if the script is _PER

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery wrote: > IMHO the Security Team should not act as fixers themselves but more as > > proxies, passing information about a security issue to the maintainer of > > the package. > > And what happens then if the maintainer doesn't respond? > > Then, and on

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Le 27 août 2013 19:32, "Ian Jackson" a écrit : > > Russ Allbery writes ("Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)"): > > If we're going to offer meaningful security support, we have to have a > > bug

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

> Alternately, we could be far more aggressive about removing packages from > oldstable, I suppose, but I don't think that's a good idea; that just > leaves our users with exactly the sorts of choices that we're trying to > avoid. I think it's much cleaner and better for our users to offer full >

Re: Dreamhost dumps Debian

> > Large hosting companies not having made their scripts etc. good enough > > to ride out upgrades well should have nothing to do with any decision. > > I don't think the problem here is with "Large hosting companies not > having made their scripts etc. good enough". I don't think it has > anyt

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Russ Allbery writes ("Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)"): > If we're going to offer meaningful security support, we have to have a > bug-fixer of last resort, and that's the party most stressed by ex

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Pau Garcia i Quiles writes: > IMHO the Security Team should not act as fixers themselves but more as > proxies, passing information about a security issue to the maintainer of > the package. And what happens then if the maintainer doesn't respond? If we're going to offer meaningful security sup

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 27/08/13 14:32, Pau Garcia i Quiles wrote: > What do you do with the 1 year of support Debian currently gives to > oldstable? It's also 1 year you stopped using that version, so no > technical challenge either. There does need to be some amount of overlap, because people can't necessarily upgra

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/27/2013 02:28 PM, Michael Meskes wrote: > Which brings up the interesting question how it works for stable now. How > often > do bigs get fixed by the security team and how often by maintainers > themselves? > How much work is this for the security team? Yes, I know, the older the > softwar

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/27/2013 12:41 PM, Ben Hutchings wrote: > It's hard enough to get maintainers to fix bugs in current stable > (backporting can be difficult, and some just don't care), let alone > another 3 years of LTS. > > Ben. I agree with what you wrote above Ben. Though that is not in a direct relation

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 12:03 PM, Lars Wirzenius wrote: On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote: > > But I'd like to stress we need *all* developers to be involved fix bugs > > (esp. security) in their packages in all the supported releases, not only > > in current-sta

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/27/2013 11:53 AM, Pau Garcia i Quiles wrote: > > On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes > wrote: > > > > Guys, if you want it to happen, raise your hands *now* like > Gustavo did. > > Otherwise, please everyone: let this thread die and neve

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 2:09 PM, Neil McGovern wrote: Indeed. Look at the security team for example. In theory, if all > maintainers cared enough about the older packages, we woudn't need the > level of people we currently do. > IMHO the Security Team should not act as fixers themselves but more

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote: > The challenge was: who is willing to do the work. Your answer is: me, > but only everyone else helps. > > That doesn't answer the challenge at all. Agreed. > It's hard enough to get maintainers to fix bugs in current stable > (bac

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote: > The challenge was: who is willing to do the work. Your answer is: me, > but only everyone else helps. > > That doesn't answer the challenge at all. > > It's hard enough to get maintainers to fix bugs in current stable > (backportin

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, 2013-08-27 at 11:53 +0200, Pau Garcia i Quiles wrote: > > On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes > wrote: > > > Guys, if you want it to happen, raise your hands *now* like > Gustavo did. > > Otherwise, please everyone: let this thread die and never >

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote: > But I'd like to stress we need *all* developers to be involved fix bugs > (esp. security) in their packages in all the supported releases, not only > in current-stable. I am afraid I am not on board for this. I do not agree wit

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes wrote: > > Guys, if you want it to happen, raise your hands *now* like Gustavo did. > > Otherwise, please everyone: let this thread die and never raise the > > topic again in this list. > > Raising my hand here ... > One more hand. But I'd like

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Tue, Aug 27, 2013 at 02:11:56AM +0200, Thomas Goirand wrote: > Guys, if you want it to happen, raise your hands *now* like Gustavo did. > Otherwise, please everyone: let this thread die and never raise the > topic again in this list. Raising my hand here ... Michael -- Michael Meskes Michael

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/26/2013 12:33 PM, Neil McGovern wrote: > I'm hoping that these raising of hands are also offers to help do the > work to make it happen. > > Neil Which is why there's only a single person that replied to my workflow proposal ... to criticize my idea to do it on a separate infrastructure, bu

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 26.08.2013 20:14, Andrew M.A. Cater wrote: > Ubuntu LTS - five years support but presumes nothing changes and you then > find huge problems moving to the next LTS because the > intervening releases have disappeared ... You don't need the intervening releases, Ubuntu recommends doing LTS->LT

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Mon, Aug 26, 2013 at 09:31:06AM +0200, Mike Gabriel wrote: > Hi Charles, > > On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: > > >Altogether, it is a lot of work, but if we have enough people for > >doing it, think that it would be very positive for us. > > /me raises his hand for givin

Re: Dreamhost dumps Debian

Excerpts from Thomas Goirand's message of 2013-08-25 16:36:48 -0700: > On 08/21/2013 05:45 PM, Kevin Chadwick wrote: > > Large hosting companies not having made their scripts etc. good enough > > to ride out upgrades well should have nothing to do with any decision. > > I don't think the problem h

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

>> Long-term support of stable releases was one of the reasons for the >> debian-companies@ initiative. I'm Ccing Michael Meskes, who is >> interested in coordinating this initiative. > JFTR Coordination of LTS support should not go through a closed list. And I don't think anyone suggested that. T

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Lucas Nussbaum schrieb am Monday, den 26. August 2013: > On 26/08/13 at 10:00 -0300, gustavo panizzo wrote: > > On 08/26/2013 07:33 AM, Neil McGovern wrote: > > > I'm hoping that these raising of hands are also offers to help do the > > > work to make it happen. > > i offer help, we are intereste

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 26/08/13 at 10:00 -0300, gustavo panizzo wrote: > On 08/26/2013 07:33 AM, Neil McGovern wrote: > > I'm hoping that these raising of hands are also offers to help do the > > work to make it happen. > i offer help, we are interested on longer maintenance for some packages. > i think we should sta

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

gustavo panizzo schrieb am Monday, den 26. August 2013: > On 08/26/2013 07:33 AM, Neil McGovern wrote: > > I'm hoping that these raising of hands are also offers to help do the > > work to make it happen. > i offer help, we are interested on longer maintenance for some packages. > i think we shou

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On 08/26/2013 07:33 AM, Neil McGovern wrote: > I'm hoping that these raising of hands are also offers to help do the > work to make it happen. i offer help, we are interested on longer maintenance for some packages. i think we should start to coordinate, if is anybody else willing to help with the

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

On Mon, Aug 26, 2013 at 11:14:25AM +0200, Balint Reczey wrote: > Hi All, > > On 08/26/2013 09:31 AM, Mike Gabriel wrote: > > Hi Charles, > > > > On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: > > > >> Altogether, it is a lot of work, but if we have enough people for > >> doing it, think t

Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Hi All, On 08/26/2013 09:31 AM, Mike Gabriel wrote: > Hi Charles, > > On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: > >> Altogether, it is a lot of work, but if we have enough people for >> doing it, think that it would be very positive for us. > > /me raises his hand for giving his wor

Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)

Hi Charles, On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote: Altogether, it is a lot of work, but if we have enough people for doing it, think that it would be very positive for us. /me raises his hand for giving his work for longer maintainance of former Debian stable releases. For c

Re: Dreamhost dumps Debian

On 08/21/2013 05:45 PM, Kevin Chadwick wrote: > Large hosting companies not having made their scripts etc. good enough > to ride out upgrades well should have nothing to do with any decision. I don't think the problem here is with "Large hosting companies not having made their scripts etc. good en

Re: Dreamhost dumps Debian

On 21/08/13 19:08, Clint Byrum wrote: > Excerpts from Kevin Chadwick's message of 2013-08-21 08:45:27 -0700: >> My point of view is that Debian Stable should be aiming for whatever >> they believe the sweet point between stable and so usable without having >> problems is and maximising security. Ak

Re: Dreamhost dumps Debian

Excerpts from Kevin Chadwick's message of 2013-08-21 08:45:27 -0700: > My point of view is that Debian Stable should be aiming for whatever > they believe the sweet point between stable and so usable without having > problems is and maximising security. Aka maximising productivity and > safety with

Re: Dreamhost dumps Debian

On Wed, 21 Aug 2013 17:58:55 +0200, Pau Garcia i Quiles wrote: >On Wed, Aug 21, 2013 at 5:45 PM, Kevin Chadwick wrote: >Does anyone even know for sure what the decision to switch was actually >> based upon? > >Not really, but I have seen Debian rejected at several companies >(customers) due to too

Re: Dreamhost dumps Debian

On Wed, Aug 21, 2013 at 5:45 PM, Kevin Chadwick wrote: Does anyone even know for sure what the decision to switch was actually > based upon? > Not really, but I have seen Debian rejected at several companies (customers) due to too-short support of old releases and too-far away releases. Both are

Re: Dreamhost dumps Debian

My point of view is that Debian Stable should be aiming for whatever they believe the sweet point between stable and so usable without having problems is and maximising security. Aka maximising productivity and safety with no other concerns or compromises. Large hosting companies not having made t

Re: Dreamhost dumps Debian

On Wed, Aug 21, 2013 at 10:35:34AM +0100, Philip Hands wrote: > Wookey writes: > > +++ Ian Jackson [2013-08-20 16:05 +0100]: > > > >> The bigger problem for a Debian LTS is this: 1. who is going to do > >> security support for it ? > > Ideally it would be the people that want releases supported

Re: Dreamhost dumps Debian

Ian Jackson writes ("Re: Dreamhost dumps Debian"): > I think we need to do more than that. We need to arrange to > automatically disable affected software (by default). (And that has > to be done in a way that allows an affected user to re-enable it, and > which is sorted o

Re: Dreamhost dumps Debian

Russ Allbery writes ("Re: Dreamhost dumps Debian"): > Yeah, I know. But the number of such exceptions is relatively limited, > enough so that we can issue security advisories saying they're not > supported any more. It's not a comfortable compromise, but it seems to

Re: Dreamhost dumps Debian

+++ Philip Hands [2013-08-21 10:35 +0100]: > Wookey writes: > > > I have always thought that there was room for a business selling > > longer-term Debian support. > > Quite. > > It seems to me that doing things to keep these people cheerful should > attract a financial reward. If that made the

Re: Dreamhost dumps Debian

On Wed, Aug 21, 2013 at 1:48 AM, Ben Hutchings wrote: Ubuntu uses a combination of driver backports and newer kernel versions > in LTS releases. > > As Clint, Philipp and you say, I was wrong. However, I don't see that as an insurmountable argument against Debian LTSs. It "just" means the kernel

Re: Dreamhost dumps Debian

Wookey writes: > +++ Ian Jackson [2013-08-20 16:05 +0100]: > >> The bigger problem for a Debian LTS is this: 1. who is going to do >> security support for it ? > > Ideally it would be the people that want releases supported longer - > e.g this dreamhost outfit, and presumably many organisations

Re: Dreamhost dumps Debian

On Tue, 2013-08-20 at 17:49 +0200, Pau Garcia i Quiles wrote: [...] > 2. How are we going to deal with > drivers for new hardware - upgrade the kernel to LTS+1's ? > > AFAIK Ubuntu does not add drivers for new hardware to any version save > for, maybe, some exceptional cases (th

Re: Security support proposed workflow for the very-old-stable (was: Dreamhost dumps Debian)

On Tue, Aug 20, 2013 at 09:33:52PM +0200, Thomas Goirand wrote: > My initial idea wasn't to never *impose* the extended security > maintenance to all DDs. Instead, we could do it on a best-effort basis, > collectively. Meaning that anyone willing to do security fixes for the > EOL distribution (one

Re: Dreamhost dumps Debian

Pau, am Tue, Aug 20, 2013 at 05:49:57PM +0200 hast du folgendes geschrieben: > AFAIK Ubuntu does not add drivers for new hardware to any version save for, > maybe, some exceptional cases (that I cannot remember, frankly). they backport the xservers and kernels of current releases to the latest LT

Re: Dreamhost dumps Debian

+++ Ian Jackson [2013-08-20 16:05 +0100]: > The bigger problem for a Debian LTS is this: 1. who is going to do > security support for it ? Ideally it would be the people that want releases supported longer - e.g this dreamhost outfit, and presumably many organisations like them. Security suppor

Re: Dreamhost dumps Debian

Excerpts from Pau Garcia i Quiles's message of 2013-08-20 08:49:57 -0700: > > The bigger problem for a Debian LTS is this: 1. who is going to do > > security support for it ? > > > > The same people that maintain the packages in sid and stable: the > maintainer(s) for each package. For orphaned

Re: Dreamhost dumps Debian

On 08/20/2013 05:05 PM, Ian Jackson wrote: > The bigger problem for a Debian LTS is this: 1. who is going to do > security support for it ? My answer is: anyone who cares (and *not* necessarily the package maintainer) in a free-for-all way, with peer review if possible (not necessarily by the secu

Re: Security support proposed workflow for the very-old-stable (was: Dreamhost dumps Debian)

On 08/20/2013 05:17 PM, Clint Byrum wrote: >> E. g: >> - In January 2014 we release Debian 8.0. We make this an LTS release, >> meaning it would get updates for, say 3 years (until January 2017), and >> security updates for 5 years (until January 2019). >> - In February 2015 we release Debian 9.0.

Re: Dreamhost dumps Debian

Pau Garcia i Quiles writes: > On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery wrote: >> My experience is that I can just barely manage to convince upstreams to >> look over my backports of security patches to packages in oldstable > What makes you think Ubuntu, Red Hat, etc ask upstream to look a

Re: Dreamhost dumps Debian

On 08/20/2013 02:04 AM, Charles Plessy wrote: > However, one difficulty that was not mentionned in this thread is that if we > aim at both long term support and frequent releases, then we need to support > users skipping releases I don't see why. > or upgrading multiple releases in a row. Don't

Re: Dreamhost dumps Debian

On Tue, August 20, 2013 19:40, Steve Langasek wrote: > On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote: >> IMHO that should be turned around: package maintainers should be the >> ones responsible for updates and the Security Team should help with that >> (e.g. by providing tips

Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery wrote: > >> The same people that maintain the packages in sid and stable: the > >> maintainer(s) for each package. [...] > > > That is not the case. At the moment most of this is done by the > > Debian security team. Of course some package maintain

Re: Dreamhost dumps Debian

Ian Jackson writes: > Pau Garcia i Quiles writes ("Re: Dreamhost dumps Debian"): >> The same people that maintain the packages in sid and stable: the >> maintainer(s) for each package. [...] > That is not the case. At the moment most of this is done by the > D

Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote: > On Tue, Aug 20, 2013 at 6:25 PM, Ian Jackson < > ijack...@chiark.greenend.org.uk> wrote: > > > The bigger problem for a Debian LTS is this: 1. who is going to do > > > > security support for it ? > > > The same people that mai

Re: Dreamhost dumps Debian

Quoting Pau Garcia i Quiles (pgqui...@elpauer.org): > > That is not the case. At the moment most of this is done by the > > Debian security team. Of course some package maintainers do help. > > > > > IMHO that should be turned around: package maintainers should be the ones > responsible for upda

Re: Dreamhost dumps Debian

Paul Wise writes: > We are already no longer supporting iceweasel in squeeze: > http://www.debian.org/security/2013/dsa-2735 > At one point we stopped supporting clamav in oldstable: > http://www.debian.org/security/2008/dsa-1497 > At one point there was an experiment to express the lack of s

Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 6:25 PM, Ian Jackson < ijack...@chiark.greenend.org.uk> wrote: > > The bigger problem for a Debian LTS is this: 1. who is going to do > > > security support for it ? > > > > The same people that maintain the packages in sid and stable: the > > maintainer(s) for each package

Re: Dreamhost dumps Debian

Pau Garcia i Quiles writes ("Re: Dreamhost dumps Debian"): > [Ian Jackson] > > The bigger problem for a Debian LTS is this: 1. who is going to do > > security support for it ? > > The same people that maintain the packages in sid and stable: the > maintainer(s

Re: Dreamhost dumps Debian

> The bigger problem for a Debian LTS is this: 1. who is going to do > security support for it ? The same people that maintain the packages in sid and stable: the maintainer(s) for each package. For orphaned packages, NMUs by other developers or even a new maintainer team ("foster-car...@debian.

Re: Dreamhost dumps Debian

Excerpts from Pau Garcia i Quiles's message of 2013-08-20 04:15:12 -0700: > On Tue, Aug 20, 2013 at 12:46 PM, Steve Langasek wrote: > > > On Mon, Aug 19, 2013 at 11:48:13PM -0400, Michael Gilbert wrote: > > > > Russ already replied and I agree with its reply. Just to say that > > Debian > > > > u

Re: Dreamhost dumps Debian

Adam Borowski writes ("Re: Dreamhost dumps Debian"): > On Tue, Aug 20, 2013 at 03:33:26PM +0100, Ian Jackson wrote: > > I have done skip upgrades on multiple occasions. The fallout was > > always manageable. (The most recent one was etch->squeeze IIRC.) > > Wh

Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 03:33:26PM +0100, Ian Jackson wrote: > Charles Plessy writes ("Re: Dreamhost dumps Debian"): > > However, one difficulty that was not mentionned in this thread is that if we > > aim at both long term support and frequent releases, then we need to s

Re: Dreamhost dumps Debian

Charles Plessy writes ("Re: Dreamhost dumps Debian"): > However, one difficulty that was not mentionned in this thread is that if we > aim at both long term support and frequent releases, then we need to support > users skipping releases or upgrading multiple releases in a row

Re: Dreamhost dumps Debian

Paul Wise wrote: ... >At one point we stopped supporting clamav in oldstable: > >http://www.debian.org/security/2008/dsa-1497 ... That, at least, is unlikely to be repeated. Upstream does a much better job of maintaining a consistent API and ABI compatibility these days. Scott K -- To U

  1   2   >