Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?

Philipp Kern dijo [Mon, Feb 19, 2018 at 09:18:13AM +0100]:
> Putting security support over all else is surely how some people see it. But
> some upstreams also complain if you are going to ship ancient versions
> because the most recent ones contain all of the fixes. It's certainly more
> work to validate security fixes when backporting them to older versions. So
> it's also the "stable" guarantee (whatever it is seen as) that might need
> some re-adjustment.

Maybe we abuse the "security support" term - It's also "stability
support" or "bugfix commitment". We can commit to fixing the one
version of a library we ship that's producing erroneous results on
given inputs; that's not necessarily security-related (although it
might be). If libpng gets confused¹, it's not a security issue until
its input is treated on a sensitive way.

¹ http://gwolf.org/node/1952 for quite an old report

> One of the values is that you get some set of software that works together
> as a base and doesn't change, but then people install software on top of it
> that provides their service and if it's actually the thing they want to
> provide it's most likely not packaged anymore at this point. Because you'd
> want the latest features of the product you're using. So there's already a
> disconnect of essentially two tracks: the system's base at a solid version
> and whatever it is you want to offer at a fast moving pace.

This is an oft-repeating issue. At some point, Debian was the ugly
duckling because we did two- or three-year release cycles; at some
point, basically all other important distributions switched to a
longer release cycle in some way or another, keeping a "stabilized
snapshot" of sorts (i.e. Fedora for RH, Ubuntu on its non-LTSes). Or,
OTOH, became a fully rolling release. And we have both - only that we
don't recommend testing to users who expect the rock-solid we are
known to produce.

Having large software ready as a Debian package allows me, as a casual
user, to take it for a spin and evaluate it. As a sysadmin, I have the
habit of preferring Debian-packaged software for everything I can,
except when there is a _real_ reason for needing somewhat
newer. Again, I know I'm probably more Debian-centric than most of our
users, but I don't think it is too hard a line to pick: Use Debian for
all of your needs, and if it does not completely fill the bill, you
can locally install what you need. Of course, if it's hard to install
or something like that... maybe you want to learn the technologies you
will be using instead!

> That's also a reality in 2018. And coming up with arbitrary
> deadlines of support are not all that helpful. Users don't care if
> the ancient version of the software they need in stable is security
> supported until mid-2022. If it doesn't satisfy their requirements
> anymore, they move to testing or to another distribution.

My users are most often irked when I do OS upgrades and modify their
stale, beloved webmail installation. Of course, I still do it whenever
it's needed. But I have been repeatedly, even publicly asked as to why
do we push a "consumerist" worldview where old things are not
good. It's sometimes hard to explain why we need updated software...