Re: Confusing our users - who is supporting LTS?
- Date: Tue, 23 Oct 2018 22:05:35 +0200
- From: Tollef Fog Heen <tfheen@xxxxxx>
- Subject: Re: Confusing our users - who is supporting LTS?
]] Noah Meyerhans
> To be clear, the ongoing cost to the cloud team of dealing with jessie
> on AWS (where this issue originally came up) has been exactly zero,
> afaict. That is, we haven't actually updated anything in >18 months.
> Users who launch a jessie image there get 8.7, with 106 pending updates.
> As long as LTS exists and users are happy with it, there's nothing
> strictly wrong with this situation. They should update their instances
> and reboot, but from there, they are free to continue using them in
> relative safety.
I disagree with the statement that there's nothing wrong with this.
We should not be in the business of distributing known-vulnerable
software. There are practical considerations around point releases and
such which makes this not-really-true for a period of time after there's
a security update out, but this gets converged at each point release. If
you look cdimage.d.o, we are only distributing the latest point release.
I think the same standard should apply to cloud images.
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are