Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?

On 2018-02-18 22:53, Adrian Bunk wrote:
In the year 2018, any kind of "properly maintain" includes security support.

Please elaborate how Debian can provide security support for packages
like gitlab and all their dependencies in buster until mid-2022.

If Debian cannot provide security support for the lifetime of a stable
Debian release, it is better for our users when they are installing the
software from upstream with the security support provided by upstream.

Putting security support over all else is surely how some people see it. But some upstreams also complain if you are going to ship ancient versions because the most recent ones contain all of the fixes. It's certainly more work to validate security fixes when backporting them to older versions. So it's also the "stable" guarantee (whatever it is seen as) that might need some re-adjustment.

One of the values is that you get some set of software that works together as a base and doesn't change, but then people install software on top of it that provides their service and if it's actually the thing they want to provide it's most likely not packaged anymore at this point. Because you'd want the latest features of the product you're using. So there's already a disconnect of essentially two tracks: the system's base at a solid version and whatever it is you want to offer at a fast moving pace. That's also a reality in 2018. And coming up with arbitrary deadlines of support are not all that helpful. Users don't care if the ancient version of the software they need in stable is security supported until mid-2022. If it doesn't satisfy their requirements anymore, they move to testing or to another distribution.

Kind regards
Philipp Kern