Web lists-archives.com

Re: concerns about Salsa




On Fri, 2018-06-08 at 10:11 +0800, Paul Wise wrote:
> In my experience the Wordpress upstream auto-upgrade system is
> typically faster than the Debian's handling of Wordpress.

I didn't realise Wordpress had an auto-upgrade system.  That put's in
the same league as the Browsers like Chrome and Firefox.  I'm
impressed.

However, it's not the same service that Debian offers.  Wordpress has
an auto upgrade system to the new version.  Debian has auto application
of security patches to an existing system.  To see the difference, try
googling "Wordpress upgrade breaks".  Or look at the howls of anguish
on this list directed up the upcoming Firefox ESR update for stable. 
Both are examples of what happens when you update to the latest version
rather than just applying security patches.

The ultimate measure is the number of systems a person can maintain
using one system over the other.  For the Debian way of doing things
there really isn't a limit, or more accurately other limits (like
hardware failures, and dealing with network and power outages) will hit
you first.  In Wordpress's case there is a background rate of plugin
and theme breakage which will eventually overwhelm you.

The difference between the two is pretty obvious to the person paying
the bills.  I suspect that is the real reason Debian, a project that
has no income to speak of, somehow manages to have all the
infrastructure it does - 60TB servers for snapshots, a mirror network
and CDN, LWN subscriptions, free venues for its conferences and I
suspect lots other things.  I don't know of another open source project
that gets even remotely close to this level of support.  It would be
downright peculiar, if it weren't for the fact that the value of the
service Debian provides can be judged by RedHat's turnover, which is
about $3 Billion/year.  For the firms throwing the occasional piece of
chump change Debian's way it must look like the bargain of the century.

> I also get the impression that the number of CVEs (let alone all
> security issues) is scaling faster than the amount of folks in Debian
> who are handling them.

Is there some public proxy measure for this?  For example, the number
of outstanding CVE's, or average days it takes for a CVE to get fixed?

Attachment: signature.asc
Description: This is a digitally signed message part